[arch-general] Arch Linux security is still poor....
Ionut Biru
biru.ionut at gmail.com
Tue Mar 16 18:50:43 CET 2010
On 03/16/2010 07:24 PM, Nilesh Govindarajan wrote:
> On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper<jaredcasper at gmail.com> wrote:
>> On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin<aaronmgriffin at gmail.com> wrote:
>>> On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan<lists at itech7.com> wrote:
>>>> I don't think we need any security team for Arch. New packages are
>>>> released within a week of their updates. GPG signing and md5sum
>>>> verification is a must though.
>>>
>>> md5sum verification has ALWAYS been done
>>>
>>
>> In a security context, verification of files installed by a package
>> _after installation_ would be nice. i.e. "pacman --verify
>> /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my
>> /usr/sbin/sshd matches that of the official package.
>>
>> Jared
>>
>
> Let this thread not be just another "Will be nice" one. Pacman devs,
> please start implementing these package verification things.
>
sudo make me a sandwich.
--
Ionut
More information about the arch-general
mailing list