[arch-general] Packages Verified with MD5
Karol Blazewicz
karol.blazewicz at gmail.com
Sun Jan 12 15:45:34 EST 2014
On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby <havoc at defuse.ca> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
>> No, you don't rely on hashes for security, hashes are for
>> integrity checks. Signatures are for the verification of a file or
>> message, since anyone can replace the hash on the server and upload
>> a new tarball.
>
> I agree, and I understand how signatures work. But what am I missing?
> It looks like in e.g. the Firefox package...
>
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox
>
> ...the only thing preventing a man in the middle from tampering with
> the binaries as an Arch user installs Firefox are those SHA256 hashes.
>
> I guess I just don't understand what happens when I type "pacman -S
> firefox." Does that run the PKGBUILD on my system, or does it download
> and install pre-compiled (and signed) Firefox binaries that were
> created by one of the Arch developers using the PKGBUILD?
>
> I have been assuming the former, that when I do pacman -S firefox or
> pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not
> the case?
>
> Thanks for your time,
> - --
> Taylor Hornby
Which part of the man page or the wiki isn't clear about what 'pacman
-S foo' does?
More information about the arch-general
mailing list