[arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)
Eli Schwartz
eschwartz93 at gmail.com
Mon Oct 31 23:18:01 UTC 2016
On 10/31/2016 05:50 PM, Leonid Isaev wrote:
> As a side question... is there a significant difference in signing PKGBUILD vs
> the compiled package.
Do you realize, when you ask if there is a difference between signing a
PKGBUILD vs. a built package, it sounds an awful lot like asking if
there is a difference between a PKGBUILD and a built package?
Well, of course there is a difference. They are two different things...
> Given that when building a pkg, I inspect the PKGBUILD,
> what attack is possible when the PKGBUILD is not signed?
Off the top of my head, there is *the topic of this thread*. Someone
could modify the checksums and deliver fake sources. When the PKGBUILD
just says "run `make`", how do you tell the difference?
--
Eli Schwartz
More information about the arch-general
mailing list