[pacman-dev] [ Package Signing ] Your signature please
Jelle van der Waa
jelle at vdwaa.nl
Sat Feb 19 14:15:44 EST 2011
On Sat, 2011-02-19 at 20:05 +0100, Alf Gaida wrote:
> >Yeah! Archers deserve to die!
> >
> >But really I'm not convinced by this hyper-paranoia trash.
> >There will always be ways to compromise your machine. Someone who would
> >go through the trouble of setting up a proxy mirror and injecting
> >malicious code into seemingly normal packages is probably going to find
> >other ways. Package signing will not protect you.
> >
> >You will never be safe.
> >The truth is out there.
> This is opensource - if you would create real trouble, just help with kernel-
> modules. ;) The only difference is, in other distributions these errors came
> through your system signed.
>
> Why hacking, when simple development is so easy?
>
I don't understand what you are saying, but in short.
You can't force Allan / any pacman-dev to create package signing for
pacman. If you really want to get this feature into pacman/archlinux
(dbscripts etc. needs to be redone too):
-read the code
-add patches
-wait for devs to sign them off
on a side note:
http://media.ccc.de/browse/congress/2010/27c3-4295-en-high_speed_high_security_cryptography.html
--
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20110219/81cb85b8/attachment.asc>
More information about the pacman-dev
mailing list