[pacman-dev] [PATCH] Add per-repo PinnedPubKey option
Travis Burtrum
travis.archlinux at burtrum.org
Tue Nov 1 13:44:03 UTC 2016
On 10/31/2016 05:24 PM, Daniel Micay wrote:
> Perhaps Pacman should just learn to respect HPKP? It's actually
> supported by wget now, take a look at ~/.wget-hsts. Pacman could have a
> similar file in the sync database directory. Then it just kicks in after
> the first connection and as long as Pacman keeps accessing that mirror
> it will keep updating the date. It could work quite well since we don't
> support not upgrading for long periods of time.
>
Those are 2 different things though, wget supports HSTS, not HPKP,
though pinning public keys is part of HPKP. I plan eventually to write
HPKP support for curl/wget, but that's a pretty ambitious project I
don't have time for right now.
However, with as often as pacman pushes the mirrorlist, it could include
just a hard-coded set of hashes for TLS servers. Or a simple script
generates and installs them for those who care.
More information about the pacman-dev
mailing list