FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

LinkBack Thread Tools
Old 03-17-2010, 08:06 AM
Thomas Bächler
Default Package signing (was: Arch Linux security is still poor)

Am 17.03.2010 01:06, schrieb Linas:
> There are several ways to close the gap:
> *Always download the package list from ftp.archlinux.org
> It's the easier solution, but it only protects against the mirror
> operator. Moreover, it increases load on that server and makes it a
> single point of failure.

ftp.archlinux.org is yet another mirror ... a very slow one.

> *Package lists are signed from a trusted master key. There may be up to
> a key per repo.
> Easy to provide, allows backward compatibility.

Signing databases would work if we had another hash than md5 for packages.

> *Packages are automatically signed by ftp.archlinux.org before
> distributing them.

Hmm, see above.

Thread Tools

All times are GMT. The time now is 12:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org