[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases

Thomas Bächler thomas at archlinux.org
Sun Nov 3 05:17:23 EST 2013

Am 03.11.2013 11:03, schrieb Allan McRae:
> If an attacker obtains any of our packagers keys then they can sign a
> package.  So by your logic we should not be signing packages.
> Also, this is the way every other distro signs their databases and
> packages.  And they all use gpgv to verify packages which has no idea
> about a web of trust.  This seems like something we should be able to
> achieve...
> Finally, I think signing databases is far more important than signing
> packages.  The most practical attack on Arch is to become a mirror and
> hold back package updates with known vulnerabilities.  Then you even
> know the IP addresses of people who have the vulnerable package.  DB
> signing stops this as the entire database needs held back and people
> will notice the lack of updates.

I tend to fully agree with Allan here. We need to sign databases and the
risk of having the signing key on nymeria is smaller than you make it look.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-projects/attachments/20131103/258883d4/attachment.asc>

More information about the arch-projects mailing list