[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Aleksis Jauntēvs
aleksis.jauntevs at gmail.com
Tue Jun 15 12:43:35 EDT 2010
On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote:
> On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
>
> <aleksis.jauntevs at gmail.com> wrote:
> > I dont think that repo.db should be signed and it is enough to sign only
> > the
> > packages. As I understand so far the only reason to sign repo.db file is
> > to
> > prevent "replay" situations in repos.
>
> It's the other way round: signing the DB is important while signing single
> packages is not (but should still be done for some reasons).
>
> If the DB is not signed I could simply add additional packages or replace
> packages.
Yes, but if we compare the repo.db's with other mirrors then we could tell
that this has happened.
--
Aleksis Jauntēvs
More information about the arch-general
mailing list