McGee: The real story behind Arch Linux package signing
Posted Mar 24, 2011 19:33 UTC (Thu) by vonbrand
Parent article: McGee: The real story behind Arch Linux package signing
This is unfair to LWN. That an (essential) feature doesn't move forward can't just be blamed on "the reporters/requesters didn't step up to completing the task". Package signing is not just handling signatures for individual packages in the package manager, it needs workflow to ensure only the right files get blessed, key handling, ensuring mirrors can't play shenanigans (see this discussion on package manager security, which McGee himself cites). This is a distribution-wide task, not just package magager hacking.
to post comments)