LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

McGee: The real story behind Arch Linux package signing

McGee: The real story behind Arch Linux package signing

Posted Mar 25, 2011 21:25 UTC (Fri) by intgr (subscriber, #39733)
In reply to: McGee: The real story behind Arch Linux package signing by AndreE
Parent article: McGee: The real story behind Arch Linux package signing

then Arch Linux really just nothing more than a hobby OS.

Indeed, that's what it is. Arch Linux has never strived to be an enterprise distribution. What do you expect from a group of 30 developers and almost no funding?

It's sad that there is no package signing yet, but there are numerous other distros that have it. If that's what you need, use those.

Dangerous default permissions? No developer interest! Remote exploit in kernel? No developer interest!

But that's what the developers are interested in. Arch Linux often releases updates on the same day as upstreams — usually faster than even the experimental branches of other distros. There is no delay introduced by back-porting patches, security or otherwise. That's what it's all about, being agile and not overcomplicating things.

(Log in to post comments)

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 12:45 UTC (Sat) by rleigh (subscriber, #14622) [Link]

> It's sad that there is no package signing yet, but there are numerous
> other distros that have it. If that's what you need, use those.

This is a really strange stance. Distribution security is something *all* distributions need to care about. I may not directly deal with that many end users of the software I package and distribute, but I sure as hell care deeply that they aren't going to get their systems compromised and exploited as a result of anything I do. If I didn't care about the users downloading my software, I'd be asking myself if I should be publicly distributing it at all. Signing packages is the root of all trust a user can have in any files downloaded from a distribution or its mirrors; without that, there is zero basis for any trust--I have no guarantee there has been any tampering at all.

> Arch Linux often releases updates on the same day as upstreams — usually
> faster than even the experimental branches of other distros. There is no
> delay introduced by back-porting patches, security or otherwise.
> That'swhat it's all about, being agile and not overcomplicating things.

Having the knowledge that the software you are downloading from a mirror is genuine isn't really anything to do with any of this though: it's a fundamental requirement for a modern distribution. Everything should be signed, always. It doesn't matter how quick and "agile" you are getting a release out if your users cannot place *any* trust in the origin and authenticity of the files they are downloading.

Regards,
Roger

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 14:31 UTC (Sat) by intgr (subscriber, #39733) [Link]

You misunderstood what I meant to say. I'm not defending Arch Linux's lack of package signing, I very much understand and agree that it's necessary.

I was just saying that Arch Linux *is* a hobby OS, as you suggested yourself; it doesn't aim to be more than that.

You make it sound like package signing is the only important feature about a distro.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds