Package signing (was: Arch Linux security is still poor)
Am 17.03.2010 01:06, schrieb Linas:
> There are several ways to close the gap:
> *Always download the package list from ftp.archlinux.org
> It's the easier solution, but it only protects against the mirror
> operator. Moreover, it increases load on that server and makes it a
> single point of failure.
ftp.archlinux.org is yet another mirror ... a very slow one.
> *Package lists are signed from a trusted master key. There may be up to
> a key per repo.
> Easy to provide, allows backward compatibility.
Signing databases would work if we had another hash than md5 for packages.
> *Packages are automatically signed by ftp.archlinux.org before
> distributing them.