| |||||||||||||
McGee: The real story behind Arch Linux package signingMcGee: The real story behind Arch Linux package signingPosted Mar 25, 2011 12:12 UTC (Fri) by vonbrand (subscriber, #4458)In reply to: McGee: The real story behind Arch Linux package signing by drag Parent article: McGee: The real story behind Arch Linux package signing
Yes, but signing the contents of the repository has to be done each time a new package shows up (a lag/mistake here breaks all), and it also limits some lone developer from packaging something and just signing the package with a GPG key that can then be checked aganist the standard places. I much prefer the signature being part of the package itself (end-to-end security, if you will).
(Log in to post comments)
McGee: The real story behind Arch Linux package signing Posted Mar 26, 2011 10:47 UTC (Sat) by tzafrir (subscriber, #11501) [Link]
This is a matter of trust. Do you trust all of those lone developers?
Do you effectively check your system for revoked GPG keys?
McGee: The real story behind Arch Linux package signing Posted Mar 26, 2011 11:29 UTC (Sat) by ovitters (subscriber, #27950) [Link]
In addition, GNOME and various other software do not sign their tarballs. The trust is already limited. You'll know it is packaged, but not if it comes from the developers (meaning: breakin at a mirror).
McGee: The real story behind Arch Linux package signing Posted Mar 26, 2011 13:17 UTC (Sat) by sahko (guest, #54088) [Link]
This is so much bigger than Arch.
It affects every distribution shipping GNOME. Thats every one, besides Slackware. Will we see a LWN article about it?
|
|||||||||||||