LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

McGee: The real story behind Arch Linux package signing

McGee: The real story behind Arch Linux package signing

Posted Mar 24, 2011 23:51 UTC (Thu) by drag (subscriber, #31333)
In reply to: McGee: The real story behind Arch Linux package signing by vonbrand
Parent article: McGee: The real story behind Arch Linux package signing

> Package signing is not just handling signatures for individual packages in the package manager

I like how Debian does it. Each package is not signed. The list of packages is signed and the list contains hashes of the packages which you can use for validation. Very effective and efficient and requires only minimal changes. hashing is a normal function of package management and is used to detect corruptions caused by downloading errors.

(Log in to post comments)

McGee: The real story behind Arch Linux package signing

Posted Mar 25, 2011 12:12 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

Yes, but signing the contents of the repository has to be done each time a new package shows up (a lag/mistake here breaks all), and it also limits some lone developer from packaging something and just signing the package with a GPG key that can then be checked aganist the standard places. I much prefer the signature being part of the package itself (end-to-end security, if you will).

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 10:47 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

This is a matter of trust. Do you trust all of those lone developers?

Do you effectively check your system for revoked GPG keys?

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 11:29 UTC (Sat) by ovitters (subscriber, #27950) [Link]

In addition, GNOME and various other software do not sign their tarballs. The trust is already limited. You'll know it is packaged, but not if it comes from the developers (meaning: breakin at a mirror).

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 13:17 UTC (Sat) by sahko (guest, #54088) [Link]

This is so much bigger than Arch.
It affects every distribution shipping GNOME.
Thats every one, besides Slackware. Will we see a LWN article about it?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds