[arch-general] pacman-key complaining, but what to do about it?
Daniel Micay
danielmicay at gmail.com
Wed Apr 2 13:01:43 EDT 2014
On 02/04/14 01:00 PM, Daniel Micay wrote:
> On 02/04/14 12:47 PM, Nowaker wrote:
>>> There may be a transparent proxy in your routing chain that strips
>>> compression in order to run a virus scan.
>>
>> Time for SSL-securing Arch Linux repos to prevent any sort of
>> man-in-the-middle attacks? Even such trivial things like compression
>> stripping, or image optimization often performed by mobile internet
>> providers is a man-in-the-middle. This should be fought by any means.
>
> Packages are already signed, and pacman has support for signing the
> repositories. Using TLS for repositories is close to useless because the
> mirrors are not *really* trusted entities, and the CA system is a broken
> alternative to the solid archlinux-keyring package.
We aren't actually signing the sync databases yet, but should be. Even
if it means using a low-trust key on the servers, it would need to be
treated differently than the package signing keys if it was a lower
trust level though, because it shouldn't be able to sign packages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140402/00037370/attachment.asc>
More information about the arch-general
mailing list