User: Password:
|
|
Subscribe / Log in / New account

Arch Linux and (the lack of) package signing

Arch Linux and (the lack of) package signing

Posted Mar 24, 2011 15:50 UTC (Thu) by tetromino (subscriber, #33846)
In reply to: Arch Linux and (the lack of) package signing by hickinbottoms
Parent article: Arch Linux and (the lack of) package signing

> Unless I'm out of date I believe Gentoo has also always suffered this, and continues to do so.

You are many years out of date :) Gentoo's portage has had the ability to use GPG to sign and verity package manifests since 2004: http://www.gentoo.org/news/20041021-portage51.xml

What is true is that there seems to be no policy requiring Gentoo developers to sign manifests, and as a result, many developers never bother to do so and thousands of packages remain unsigned.


(Log in to post comments)

Gentoo package signing

Posted Mar 24, 2011 16:39 UTC (Thu) by alex (subscriber, #1355) [Link]

So I assume if old packages aren't signed portage will either allow them or refuse to install them depending on the level of the feature?

/me makes a note to enable the gpg feature.

Arch Linux and (the lack of) package signing

Posted Mar 24, 2011 16:46 UTC (Thu) by hickinbottoms (subscriber, #14798) [Link]

> You are many years out of date :)

I suspected as much! However, I looked into this feature today and it doesn't appear to be enabled in the currently marked-stable portage (on my system, at least):

> # emerge ...whatever...
> FEATURES variable contains unknown value(s): gpg
> Portage 2.1.9.42 (default/linux/x86/10.0, gcc-4.4.5, glibc-2.11.3-r0, 2.6.35-gentoo-r12 i686)

Still, as you say it counts for little if most of the software isn't signed by the mai

Arch Linux and (the lack of) package signing

Posted Mar 24, 2011 19:48 UTC (Thu) by vapier (subscriber, #15768) [Link]

hmm, should be trivial to start enforcing manifest signing in the main tree. it's trivial to setup keys after all.

$ find *-* -maxdepth 2 -name Manifest | wc -l
14438
$ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP SIGNATURE' {} + | wc -l
6032

that is fairly abysmal ...

Arch Linux and (the lack of) package signing

Posted Mar 25, 2011 2:53 UTC (Fri) by nicooo (guest, #69134) [Link]

It seems like there are some issues that still need to be resolved.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds