[pacman-dev] GPG work
Dan McGee
dpmcgee at gmail.com
Mon Dec 8 08:08:20 EST 2008
On Mon, Dec 8, 2008 at 7:00 AM, Teran McKinney <sega01 at gmail.com> wrote:
> I like the idea of GPG signed repositories, but they are just about
> useless if they are signing MD5s. MD5 is very insecure, but good for
> normal file integrity checking. Can Pacman use SHA-256 or similiar?
> Another thing to watch out for is malicious publication of old
> repositories with old and vulnerable packages that have the force
> option set. I've thought briefly on how to circumvent this, but not
> enough to have a method I would purpose.
I think you misunderstood completely- try reading this first:
http://archlinux.org/pipermail/arch-dev-public/2008-December/009244.html
We sign *packages*, not repositories. Will this damn thing about MD5
please die? "Fixing" that still fixes nothing, and I'll pay one
million USD to someone that can actually forge a package with a given
MD5.
I believe I addressed the old repositories question there as well- we
will eventually have to sign databases too. A lot of thought was done
in this report:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
-Dan
More information about the pacman-dev
mailing list