On 01/12/2014 01:13 PM, Taylor Hornby wrote: > Thank you, that makes so much more sense! > > So, really, the vulnerability only exists while the Arch dev (or > package maintainer or whatever they're called) is building the > package. Once they do, and sign it, all Arch users will verify their > signature to make sure they get the same file the Arch dev created.
That's correct! See these pages for more info on how pacman's signature checking works: <https://wiki.archlinux.org/index.php/Pacman#Package_security> <https://wiki.archlinux.org/index.php/Pacman-key> > That's not so bad, then, since you can't really do any better unless > the upstream source (Mozilla) signs their files, and the package > maintainer has their public key. To be honest, I'm a little surprised that Mozilla doesn't sign their Firefox source code. Kyle
signature.asc
Description: OpenPGP digital signature
