[pacman-dev] GPG work

Dan McGee dpmcgee at gmail.com
Mon Dec 8 10:04:56 EST 2008


On Mon, Dec 8, 2008 at 7:08 AM, Dan McGee <dpmcgee at gmail.com> wrote:
> On Mon, Dec 8, 2008 at 7:00 AM, Teran McKinney <sega01 at gmail.com> wrote:
>> I like the idea of GPG signed repositories, but they are just about
>> useless if they are signing MD5s. MD5 is very insecure, but good for
>> normal file integrity checking. Can Pacman use SHA-256 or similiar?
>> Another thing to watch out for is malicious publication of old
>> repositories with old and vulnerable packages that have the force
>> option set. I've thought briefly on how to circumvent this, but not
>> enough to have a method I would purpose.
>
> I think you misunderstood completely- try reading this first:
> http://archlinux.org/pipermail/arch-dev-public/2008-December/009244.html

And sorry about this- I thought I had cross-posted this message to
this list, so now I see why it maybe wasn't clear the route we were
taking. Let me know if you have questions.

-Dan


More information about the pacman-dev mailing list