[arch-general] Package signing (was: Arch Linux security is still poor)
Thomas Bächler
thomas at archlinux.org
Wed Mar 17 10:06:03 CET 2010
Am 17.03.2010 01:06, schrieb Linas:
> There are several ways to close the gap:
> *Always download the package list from ftp.archlinux.org
> It's the easier solution, but it only protects against the mirror
> operator. Moreover, it increases load on that server and makes it a
> single point of failure.
ftp.archlinux.org is yet another mirror ... a very slow one.
> *Package lists are signed from a trusted master key. There may be up to
> a key per repo.
> Easy to provide, allows backward compatibility.
Signing databases would work if we had another hash than md5 for packages.
> *Packages are automatically signed by ftp.archlinux.org before
> distributing them.
Hmm, see above.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20100317/6c88f14c/attachment.bin>
More information about the arch-general
mailing list