[aur-general] Discussion about AUR packages signing

Daniel Micay danielmicay at gmail.com
Fri Aug 8 04:02:30 EDT 2014

On 08/08/14 03:43 AM, Ralf Mardorf wrote:
> In the past, what packages provided by AUR needed signing, because after
> uploading somebody manipulated the packages? AFAIK https for the AUR
> downloads and checksums for the upstream downloads in the past didn't
> cause that often serious trouble, IIRC it usually was safe.
> Is there such a security mechanism, if we build from ABS?

The AUR has had SQL injection vulnerabilities in the past. It has also
had a fair number of CSRF / XSS vulnerabilities allowing actions to be
taken on behalf of package maintainers.

It's being well maintained now, but it's still written in a language
with many easy ways to shoot yourself in the foot. AFAIK (too lazy to
check) it also doesn't have a captcha or similar mechanism to defend
against someone brute forcing the password of a specific user.

The checksums are just blindly updated when either a new release is done
or upstream decides to fiddle with the last release. The ideal is having
a signed package (either binary or source) with signatures for the
upstream sources and the new makepkg feature allowing the correct
fingerprint to be added in the PKGBUILD.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20140808/ba6d1007/attachment.asc>

More information about the aur-general mailing list