[pacman-dev] GPG work

Dan McGee dpmcgee at gmail.com
Mon Dec 8 08:08:20 EST 2008

On Mon, Dec 8, 2008 at 7:00 AM, Teran McKinney <sega01 at gmail.com> wrote:
> I like the idea of GPG signed repositories, but they are just about
> useless if they are signing MD5s. MD5 is very insecure, but good for
> normal file integrity checking. Can Pacman use SHA-256 or similiar?
> Another thing to watch out for is malicious publication of old
> repositories with old and vulnerable packages that have the force
> option set. I've thought briefly on how to circumvent this, but not
> enough to have a method I would purpose.

I think you misunderstood completely- try reading this first:

We sign *packages*, not repositories. Will this damn thing about MD5
please die? "Fixing" that still fixes nothing, and I'll pay one
million USD to someone that can actually forge a package with a given

I believe I addressed the old repositories question there as well- we
will eventually have to sign databases too. A lot of thought was done
in this report:


More information about the pacman-dev mailing list