LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

McGee: The real story behind Arch Linux package signing

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 10:47 UTC (Sat) by tzafrir (subscriber, #11501)
In reply to: McGee: The real story behind Arch Linux package signing by vonbrand
Parent article: McGee: The real story behind Arch Linux package signing

This is a matter of trust. Do you trust all of those lone developers?

Do you effectively check your system for revoked GPG keys?

(Log in to post comments)

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 11:29 UTC (Sat) by ovitters (subscriber, #27950) [Link]

In addition, GNOME and various other software do not sign their tarballs. The trust is already limited. You'll know it is packaged, but not if it comes from the developers (meaning: breakin at a mirror).

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 13:17 UTC (Sat) by sahko (guest, #54088) [Link]

This is so much bigger than Arch.
It affects every distribution shipping GNOME.
Thats every one, besides Slackware. Will we see a LWN article about it?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds