[arch-general] Packages Verified with MD5

Eduardo Machado eduardo.machado at gmail.com
Tue Jan 14 14:05:55 EST 2014

2014/1/12 Taylor Hornby <havoc at defuse.ca>

> Hash: SHA1
> On 01/12/2014 01:56 PM, Kyle Terrien wrote:
> > On 01/12/2014 12:40 PM, Taylor Hornby wrote:
> >>> I guess I just don't understand what happens when I type
> >>> "pacman -S firefox." Does that run the PKGBUILD on my system,
> >>> or does it download and install pre-compiled (and signed)
> >>> Firefox binaries that were created by one of the Arch
> >>> developers using the PKGBUILD?
> > "pacman -S firefox" installs a pre-compiled binary maintained by an
> > Arch Dev. On the other hand, PKGBUILDs are for building packages.
> >
> > And the official firefox package is cryptographically signed by
> > the package maintainer (not Mozilla).
> >
> > Hopefully, that clears things up.
> Thank you, that makes so much more sense!
> So, really, the vulnerability only exists while the Arch dev (or
> package maintainer or whatever they're called) is building the
> package. Once they do, and sign it, all Arch users will verify their
> signature to make sure they get the same file the Arch dev created.
> That's not so bad, then, since you can't really do any better unless
> the upstream source (Mozilla) signs their files, and the package
> maintainer has their public key.
I think this could yet be a problem if the sys admin wants to build all of
it's system.
Then he will fall into the same problem with the AUR PKGBUILDs, or am i

More information about the arch-general mailing list