[arch-general] Packages Verified with MD5
havoc at defuse.ca
Sun Jan 12 16:13:53 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 01/12/2014 01:56 PM, Kyle Terrien wrote:
> On 01/12/2014 12:40 PM, Taylor Hornby wrote:
>>> I guess I just don't understand what happens when I type
>>> "pacman -S firefox." Does that run the PKGBUILD on my system,
>>> or does it download and install pre-compiled (and signed)
>>> Firefox binaries that were created by one of the Arch
>>> developers using the PKGBUILD?
> "pacman -S firefox" installs a pre-compiled binary maintained by an
> Arch Dev. On the other hand, PKGBUILDs are for building packages.
> And the official firefox package is cryptographically signed by
> the package maintainer (not Mozilla).
> Hopefully, that clears things up.
Thank you, that makes so much more sense!
So, really, the vulnerability only exists while the Arch dev (or
package maintainer or whatever they're called) is building the
package. Once they do, and sign it, all Arch users will verify their
signature to make sure they get the same file the Arch dev created.
That's not so bad, then, since you can't really do any better unless
the upstream source (Mozilla) signs their files, and the package
maintainer has their public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the arch-general