[arch-general] Is Voting Effective?

Mark Lee mark at markelee.com
Fri Apr 11 20:17:09 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/11/2014 07:45 PM, Taylor Hornby wrote:
> On 04/11/2014 04:27 PM, Daniel Wallace wrote:
>> So you're saying... blindly trusting someone else that is unknown
>> to build and blindly sign a package is more secure than you
>> downloading the pkgbuild with cower or something, looking at the
>> PKGBUILD, and then using makepkg...
> 
>> How is that?
> 
> No, that person has to be trusted not to actively sign malicious
> binaries of their own creation and to keep their private key secret.
> 
> I'm saying: A single trusted person blindly building and singing
> packages is more secure than everyone blindly building and signing
> packages.
> 
> It's a single opportunity for attack on everyone versus an opportunity
> for an attack each time a user installs a package from the AUR. The
> former is more detectable after-the-fact (thus much less likely to be
> done by an intelligence agency like the NSA) and can be done in a safer
> environment (cable internet connection in the USA vs. a WiFi hotspot in
> Syria).
> 
> The process could also involve grabbing the files (or hashes) through
> different Tor exit nodes and comparing them to make sure they're all the
> same, and there's no attacker messing with the local Internet
> connection.
> 
> 
>> Second, where do you propose the computing time and the storage
>> space comes from to support this kind of repository?
> 
> 
> Would it really be that much? How do other distributions manage it?
> 
> -Taylor
> 
> 

Salutations,

The point of Arch is that security is mainly a user concern. Arch
doesn't target users who would just blindly install packages from the
AUR without reading the PKGBUILD first, or reading the source code as
another step. If one doesn't know how to compile and/or modify the code
they are using, they really shouldn't be using the code. While other
distributions do this, I strongly disagree with it.

Arch users should read the wiki on how to compile with makepkg before
attempting to install packages from the AUR. By the way, installing a
package can be as simple as "$ makepkg -s -r -i" or more complicated if
further dependencies must be compiled.

Security through a messiah is as useful as security through obscurity.

Regards,
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlNIhgUACgkQZ/Z80n6+J/ZudAD/QSrAwDUtelbUV9MKB6m51tSi
j/8orGFQE4uaUPb6hwwA/Alcgy8mLCTExbbVPDy7TPwYHW5tp9+moDs+enMHA4sv
=ES3a
-----END PGP SIGNATURE-----


More information about the arch-general mailing list