[arch-general] Packages Verified with MD5
Kyle Terrien
kyleterrien at gmail.com
Sun Jan 12 17:15:27 EST 2014
On 01/12/2014 01:13 PM, Taylor Hornby wrote:
> Thank you, that makes so much more sense!
>
> So, really, the vulnerability only exists while the Arch dev (or
> package maintainer or whatever they're called) is building the
> package. Once they do, and sign it, all Arch users will verify their
> signature to make sure they get the same file the Arch dev created.
That's correct! See these pages for more info on how pacman's signature
checking works:
<https://wiki.archlinux.org/index.php/Pacman#Package_security>
<https://wiki.archlinux.org/index.php/Pacman-key>
> That's not so bad, then, since you can't really do any better unless
> the upstream source (Mozilla) signs their files, and the package
> maintainer has their public key.
To be honest, I'm a little surprised that Mozilla doesn't sign their
Firefox source code.
Kyle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140112/cdee170f/attachment-0001.asc>
More information about the arch-general
mailing list