| |||||||||||||
McGee: The real story behind Arch Linux package signingMcGee: The real story behind Arch Linux package signingPosted Mar 24, 2011 19:33 UTC (Thu) by vonbrand (subscriber, #4458)Parent article: McGee: The real story behind Arch Linux package signing
This is unfair to LWN. That an (essential) feature doesn't move forward can't just be blamed on "the reporters/requesters didn't step up to completing the task". Package signing is not just handling signatures for individual packages in the package manager, it needs workflow to ensure only the right files get blessed, key handling, ensuring mirrors can't play shenanigans (see this discussion on package manager security, which McGee himself cites). This is a distribution-wide task, not just package magager hacking.
(Log in to post comments)
McGee: The real story behind Arch Linux package signing Posted Mar 24, 2011 23:51 UTC (Thu) by drag (subscriber, #31333) [Link]
> Package signing is not just handling signatures for individual packages in the package manager
I like how Debian does it. Each package is not signed. The list of packages is signed and the list contains hashes of the packages which you can use for validation. Very effective and efficient and requires only minimal changes. hashing is a normal function of package management and is used to detect corruptions caused by downloading errors.
McGee: The real story behind Arch Linux package signing Posted Mar 25, 2011 12:12 UTC (Fri) by vonbrand (subscriber, #4458) [Link] Yes, but signing the contents of the repository has to be done each time a new package shows up (a lag/mistake here breaks all), and it also limits some lone developer from packaging something and just signing the package with a GPG key that can then be checked aganist the standard places. I much prefer the signature being part of the package itself (end-to-end security, if you will).
McGee: The real story behind Arch Linux package signing Posted Mar 26, 2011 10:47 UTC (Sat) by tzafrir (subscriber, #11501) [Link]
This is a matter of trust. Do you trust all of those lone developers?
Do you effectively check your system for revoked GPG keys?
McGee: The real story behind Arch Linux package signing Posted Mar 26, 2011 11:29 UTC (Sat) by ovitters (subscriber, #27950) [Link]
In addition, GNOME and various other software do not sign their tarballs. The trust is already limited. You'll know it is packaged, but not if it comes from the developers (meaning: breakin at a mirror).
McGee: The real story behind Arch Linux package signing Posted Mar 26, 2011 13:17 UTC (Sat) by sahko (guest, #54088) [Link]
This is so much bigger than Arch.
It affects every distribution shipping GNOME. Thats every one, besides Slackware. Will we see a LWN article about it?
|
|||||||||||||