[arch-general] Is Voting Effective?

Taylor Hornby havoc at defuse.ca
Fri Apr 11 19:45:46 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/11/2014 04:27 PM, Daniel Wallace wrote:
> So you're saying... blindly trusting someone else that is unknown
> to build and blindly sign a package is more secure than you
> downloading the pkgbuild with cower or something, looking at the
> PKGBUILD, and then using makepkg...
> 
> How is that?

No, that person has to be trusted not to actively sign malicious
binaries of their own creation and to keep their private key secret.

I'm saying: A single trusted person blindly building and singing
packages is more secure than everyone blindly building and signing
packages.

It's a single opportunity for attack on everyone versus an opportunity
for an attack each time a user installs a package from the AUR. The
former is more detectable after-the-fact (thus much less likely to be
done by an intelligence agency like the NSA) and can be done in a safer
environment (cable internet connection in the USA vs. a WiFi hotspot in
Syria).

The process could also involve grabbing the files (or hashes) through
different Tor exit nodes and comparing them to make sure they're all the
same, and there's no attacker messing with the local Internet
connection.

> 
> Second, where do you propose the computing time and the storage
> space comes from to support this kind of repository?
> 

Would it really be that much? How do other distributions manage it?

- -Taylor

- -- 
Taylor Hornby
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTSH6qAAoJEN+oIJzpZ41dEiEP/i2/galkxDm6TLC4PZW+E8Qd
vPmnZ4hfgLbeK7Xwj6Wj7mS23T+RmydQTkLjaxJtsnmTF4zU5JNaHhz/bKyp1OKf
eoWQeCJWQqEEDnLhN0M1jYif85VT14ZEVLcuTsRmG8+AM6rJQ75kM9KiSN8GzXr4
yzlsxiHIWj6i8s/myl2zOj+WVmat18Ia/6971Jf0kWKKXn1gKz69EtJpvQPpQMas
DmQqlgVVpNtrOUwmai0JcJbgDe5CMUCKhtHfcWASaGlGFbx4epe49YRdOTupj3BZ
e7Xt31Dd6f5Pbb3uMFaYv1CnTtysjWvDJMMa0jt/izHggmOsaDTf7cEDAOu5tDmO
nGC3L5InWIIHMeH/EA+ct29OaXmIqLZg/pvlOgL/vhSNLhFVbNaeZhSeiuWuAccK
ktT4I/z5n+FuDpi8iIJbdBgAevSDpW5e5iWh9T4vzXtddWXrJQlbvOiYAM5FmTgN
Hyz0VKQD2ge7gIA0rXRdLCOoHX11mO0K6KKgDj8t/Ty6FR2wr4WF6cn7rZUsen4s
Cl0Hdaz06wx9fF6S3Vae4bpZxAIDvz/bfaOSxDWlDCdgryx++aKIQwW3tHtn1+zu
Ux7Urd9ccTOFMwStMPOLQnpfoo1f1MlDPtFvvbA3klCFMDTkCHBTFv9yofr16FtW
VU48Tf5CZaUzggKll0x6
=/UiM
-----END PGP SIGNATURE-----


More information about the arch-general mailing list