[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Sun Jan 12 16:13:53 EST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2014 01:56 PM, Kyle Terrien wrote:
> On 01/12/2014 12:40 PM, Taylor Hornby wrote:
>>> I guess I just don't understand what happens when I type
>>> "pacman -S firefox." Does that run the PKGBUILD on my system,
>>> or does it download and install pre-compiled (and signed)
>>> Firefox binaries that were created by one of the Arch
>>> developers using the PKGBUILD?
> "pacman -S firefox" installs a pre-compiled binary maintained by an
> Arch Dev. On the other hand, PKGBUILDs are for building packages.
> 
> And the official firefox package is cryptographically signed by
> the package maintainer (not Mozilla).
> 
> Hopefully, that clears things up.

Thank you, that makes so much more sense!

So, really, the vulnerability only exists while the Arch dev (or
package maintainer or whatever they're called) is building the
package. Once they do, and sign it, all Arch users will verify their
signature to make sure they get the same file the Arch dev created.

That's not so bad, then, since you can't really do any better unless
the upstream source (Mozilla) signs their files, and the package
maintainer has their public key.

- -- 
Taylor Hornby
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS0wWRAAoJEP5tMebkC3RuYxQP/R5j9AE29+bcWzx9cAYlCkYa
iTEinD8SQ9DGWw+ludTHQTrA8yCzvbXftawtSVy49djYawS5y61HICDm5bpnGRqj
KFsHyqD4ovJO50uVRAXmuhbpYARpttF8zyQi8RklxFYWfp9P4illNqf/oOy5R7wr
MjWuY1Ljb98beblQK6o9Ps4DsMDD2b6rFeDR/HB2hmLDjnqTWlDnZxx1lwj15IHf
dSjTomt3LOcDRFHg2zCcGnoFXBlThmb9Dud139C/9XHd0XSLLFE7E4LeiJVJ8Tso
pyAIoRWwNaETeECYpqf8QrI69vQEVkFatAmvc2jnZO/3IwpHbfo9Ld+M/qMuP4pQ
uNWcOO6448Awr+PtC2cTtcJxbidN+Wpp/cn9q3invpX6JKKbsiSxRQ8pTig09LQN
+KnAwf7uDyqmYGmpoS+2qw5fAAPywtatgiC+AEkU6oM8V2LWTdWniCjBtLcdnaZo
Fg4RWFw9kwjc7lz316SYTEnbw3iS5i/vUwdHxdfu89gMAnAW+EJB9M9JaIiCokjJ
9i10OAsZpiHVhl7SDATr9tkz9VVH+nW5tTm7ckPQ0UCrmN111isfYOpnqDrvcTiO
3te76MHLvZe1Pp5PwdKvoRZVBLnbtG6uPx2gYRoL6Y4sDAninLJeYKk0LWloE71n
hbNgXvicMQ6udoBnrnZH
=L+zO
-----END PGP SIGNATURE-----

More information about the arch-general mailing list