[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
C Anthony Risinger
anthony at extof.me
Tue Jun 15 12:59:07 EDT 2010
On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs
<aleksis.jauntevs at gmail.com> wrote:
> On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote:
>> On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
>>
>> <aleksis.jauntevs at gmail.com> wrote:
>> > I dont think that repo.db should be signed and it is enough to sign only
>> > the
>> > packages. As I understand so far the only reason to sign repo.db file is
>> > to
>> > prevent "replay" situations in repos.
>>
>> It's the other way round: signing the DB is important while signing single
>> packages is not (but should still be done for some reasons).
>>
>> If the DB is not signed I could simply add additional packages or replace
>> packages.
>
> Yes, but if we compare the repo.db's with other mirrors then we could tell
> that this has happened.
seems to defeat the purpose when you have to crosscheck everything.
nothing is secure unless the entire chain is secure.
i'd say give devs their own private keys to sign packages, and have
the build server auto sign DB's upon upload of a new package. use
detached sigs and push them with the package.
use detached sig for the repo, and download it with the db file. if
client doesn't understand signatures, it just doesn't download/use
them. i think a pacman wrapper could even implement this, as a proof
of concept.
More information about the arch-general
mailing list