[aur-general] Build packages without Arch on pkgbuild.com
Morten Linderud
foxboron at archlinux.org
Sat Apr 7 12:04:55 UTC 2018
On Sat, Apr 07, 2018 at 11:53:08AM +0530, Pierre Neidhardt via aur-general wrote:
> To perform the complete operation on soyuz, we need to forward the
> gpg-socket (and the SSH socket if different) to soyuz, which defeats the PGP
> / Web of Trust security model: for a person with root access to soyuz,
> the private key is only one passphrase away.
>
Which is why I have been working on clave[1]. It helps in the cases where build
artefacts are large and sorta useless to download after building. But it doesn't
prevent the case where a malicious root user is capable of switching the files
right after build, unless you do some additional verification after generating
the signing request.
Since it creates signatures with the new packet style, it won't be supported
before pacman 5.1, and I plan on improving it a bit before that time.
[1]: https://github.com/Foxboron/clave
--
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20180407/9593a118/attachment.asc>
More information about the aur-general
mailing list