[pacman-dev] [PATCH] Add per-repo PinnedPubKey option

Daniel Micay danielmicay at gmail.com
Mon Oct 31 21:24:29 UTC 2016

On Mon, 2016-10-31 at 17:03 -0400, Dave Reisner wrote:
> On Mon, Oct 31, 2016 at 04:36:23PM -0400, Travis Burtrum wrote:
> > From abb057844eec0e5707c31b643d0f2187b4cf0eb6 Mon Sep 17 00:00:00
> > 2001
> > From: Travis Burtrum <travis.archlinux at burtrum.org>
> > Date: Mon, 31 Oct 2016 02:12:31 -0400
> > Subject: [PATCH] Add per-repo PinnedPubKey option
> > 
> > This sets curl's CURLOPT_PINNEDPUBLICKEY option in the built-in
> > downloader, or replaces %p in XferCommand.  This pins public
> > keys to ensure your TLS connection is not man-in-the-middled
> > without relying on CAs etc.  Probably most useful currently
> > for very small groups or single servers.
> > 
> > It would obviously be best as a per-mirror option, but such
> > a thing currently does not exist.
> But perhaps as part of a larger scope, it could... As mentioned on
> IRC,
> I'm not a huge fan of this.

Perhaps Pacman should just learn to respect HPKP? It's actually
supported by wget now, take a look at ~/.wget-hsts. Pacman could have a
similar file in the sync database directory. Then it just kicks in after
the first connection and as long as Pacman keeps accessing that mirror
it will keep updating the date. It could work quite well since we don't
support not upgrading for long periods of time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161031/f9730a38/attachment.asc>

More information about the pacman-dev mailing list