Re: [arch-general] Package signing on soyuz

So my current workflow allows doing everything on soyuz. I tried it out for a couple of packages, it works well and FWICT it's secure. Writeup on the setup below as requested on IRC the other day. Local prerequisites: - Extra socket must be enabled. In arch, that seems to be the case by def

Re: [arch-general] Package signing on soyuz

On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general < arch-general@archlinux.org> wrote: > I use only the ssh agent forwarding ("ForwardAgent yes" in > .ssh/config). On pkgbuild.com I build packages using the *-*-build as > always. When a package is built, I use a script [1] that down

Re: [arch-general] Package signing on soyuz

On 17 January 2017 at 08:42, Jerome Leclanche wrote: > What is the current intended way to sign packages on the pkgbuild.com server? I don't think there's any. > I spent the past day setting up agent forwarding > (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble > setting it

Re: [arch-general] Package signing on soyuz

On 01/17/17 at 09:42am, Jerome Leclanche wrote: > What is the current intended way to sign packages on the pkgbuild.com server? > > I spent the past day setting up agent forwarding > (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble > setting it up due to systemd being seemingl

[arch-general] Package signing on soyuz

What is the current intended way to sign packages on the pkgbuild.com server? I spent the past day setting up agent forwarding (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble setting it up due to systemd being seemingly overzealous about the gpg-agent socket. I have it worki

Re: [arch-general] Package signing: database signatures?

On 03/10/2012 08:12 AM, Kevin Chadwick wrote: On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote: You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired" Quick question and I'm guessing the answer will be just to wait and that's fine. T

Re: [arch-general] Package signing: database signatures?

On 11/03/12 02:12, Kevin Chadwick wrote: > On Mon, 05 Mar 2012 10:42:15 +0100 > Florian Pritz wrote: > >> You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" >> and use "Optional PackageRequired" > > Quick question and I'm guessing the answer will be just to wait and > that's

Re: [arch-general] Package signing: database signatures?

On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote: > You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" > and use "Optional PackageRequired" Quick question and I'm guessing the answer will be just to wait and that's fine. There are just a few packages preventing me fro

Re: [arch-general] Package signing: database signatures?

Florian Pritz on Mon, 05 Mar 2012 10:42:15 +0100: > On 05.03.2012 10:39, Christian Hesse wrote: > > Hello everybody, > > > > afaik, database files in official repositories are not signed yet. Are > > they? > > > > This forces one to set SigLevel to 'Optional' instead of 'Required'. Now > > if an

Re: [arch-general] Package signing: database signatures?

On 05.03.2012 10:39, Christian Hesse wrote: > Hello everybody, > > afaik, database files in official repositories are not signed yet. Are they? > > This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if > anybody wants to provide an infected package he/she only needs to provi

Re: [arch-general] Package signing: database signatures?

On 05/03/12 19:39, Christian Hesse wrote: > And even more interesting: Does it make sense to add a new option > 'PkgRequired'? This could force valid signatures for packages and make it > optional for database files. You mean like the "PackageRequired" option that is already there? Or you could

[arch-general] Package signing: database signatures?

Hello everybody, afaik, database files in official repositories are not signed yet. Are they? This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no signature at all and the package is happily accept

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 12:46:09 +0200 Xavier Chantry wrote: > > It's all there : > http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg and > there : > http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman > > Come back to us when everything is implemented and working :

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 17 June 2010 01:34, Allan McRae wrote: > On 17/06/10 00:48, Guillaume ALAUX wrote: > >> Are the python scripts in the pacbuild package (apple, strawberry, >> queuepackage, waka and uploadpackage) used any more as described in this >> page ? Becaus

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, Jun 16, 2010 at 6:35 PM, Dimitrios Apostolou wrote: > On Wed, 16 Jun 2010, Dan McGee wrote: >> >> On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou >> wrote: >>> >>> Hey, what do you think about this way of verifying packages? >>> >>> On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: >>>

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, 16 Jun 2010, Dan McGee wrote: On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou wrote: Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM tampering to pa

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 17/06/10 00:48, Guillaume ALAUX wrote: Are the python scripts in the pacbuild package (apple, strawberry, queuepackage, waka and uploadpackage) used any more as described in this page ? Because some of these scripts point to the old "current" repo

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou wrote: > Hey, what do you think about this way of verifying packages? > > On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: >> >> On another note, an easy but maybe a bit costly way to avoid any MITM >> tampering to packages, is serve *.md5 files

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM tampering to packages, is serve *.md5 files for every package through a trusted HTTPS host. Then everyone can query

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Ionuț Bîru wrote: i found this annoying since, debugging is more harder, i have to download the resulted package to test it, send it, wait for the pool to come. is a mess :D even if my system is compromised, we build our packages in clean chroots. The workflow won't be ch

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: The proposed model is based on the web of trust. We would trust on some keys to sign other keys. The main keys would be kept by some high trusty developers. They would sign the public keys of the other developers (and their personal keys too) wi

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 16 June 2010 02:23, Allan McRae wrote: > Just to clarify the build process that goes on here: > > 1) make a clean chroot (mkarchroot - only needs done once) > 2) build package in chroot (makechrootpkg) > 3) upload package to staging area and commit to svn (e.g. testingpkg) > 4) release package

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Just to clarify the build process that goes on here: 1) make a clean chroot (mkarchroot - only needs done once) 2) build package in chroot (makechrootpkg) 3) upload package to staging area and commit to svn (e.g. testingpkg) 4) release package on master server adding it to repo (e.g. db-testing)

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs wrote: > On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: >> On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs >> >> wrote: >> > I dont think that repo.db should be signed and it is enough to sign only >> > the >> > packages. As I unders

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: > On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs > > wrote: > > I dont think that repo.db should be signed and it is enough to sign only > > the > > packages. As I understand so far the only reason to sign repo.db file is > > to > > pre

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs wrote: > I dont think that repo.db should be signed and it is enough to sign only > the > packages. As I understand so far the only reason to sign repo.db file is > to > prevent "replay" situations in repos. It's the other way round: signing

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tuesday 15 June 2010 18:47:41 Denis A. Altoé Falqueto wrote: > On Tue, Jun 15, 2010 at 12:34 PM, Denis A. Altoé Falqueto > > wrote: > > On Tue, Jun 15, 2010 at 12:02 PM, Guillaume ALAUX wrote: > >>> I think that we should avoid signing files remotely. > >> > >> Is there any precise reason?

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 12:34 PM, Denis A. Altoé Falqueto wrote: > On Tue, Jun 15, 2010 at 12:02 PM, Guillaume ALAUX wrote: >>> I think that we should avoid signing files remotely. >> Is there any precise reason? If it is because "that remote place could be >> compromised" well any dev computer c

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 12:02 PM, Guillaume ALAUX wrote: >> I think that we should avoid signing files remotely. > Is there any precise reason? If it is because "that remote place could be > compromised" well any dev computer could be compromized too ! The main reason is that we would need to kee

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 15 June 2010 16:55, Dimitrios Apostolou wrote: > On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: > >> On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou >> wrote: >> >>> Moreover, instead of building all packages in the private PCs of >>> developers, >>> I think it is preferable to sub

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 15 June 2010 16:46, Dan McGee wrote: > On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX > wrote: > >>How exactly is core and extra database populated? > >> Moreover, instead of building all packages in the private PCs of > > developers > > Packages are not build on developers computers but on

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou wrote: Moreover, instead of building all packages in the private PCs of developers, I think it is preferable to submit PKGBUILDs to build servers (via web interface maybe) and let the serve

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX wrote: >>How exactly is core and extra database populated? >> Moreover, instead of building all packages in the private PCs of > developers > Packages are not build on developers computers but on build machines as > explained here http://wiki.archli

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

>How exactly is core and extra database populated? > Moreover, instead of building all packages in the private PCs of developers Packages are not build on developers computers but on build machines as explained here http://wiki.archlinux.org/index.php/Pacbuild

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou wrote: > On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: >> >> And keep in mind that package signing per se will not solve this kind >> of problems. Repository database signing is more important for that >> solution, but is a problem in the

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 06/15/2010 04:57 PM, Dimitrios Apostolou wrote: On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem in the current workflow of A

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem in the current workflow of Arch developers. How exactly is core and extra data

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, Jun 13, 2010 at 7:46 AM, Xavier Chantry wrote: > On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar > wrote: >> >> This is the reason why we need package signing for Pacman.  I'm aware >> that some progress has been made and it's being worked on.  Are there >> any updates? >> > > It's all

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote: > On Sun, 13 Jun 2010 19:48:53 +1000 > Allan McRae wrote: > > > >> > > > > > > This is the reason why we need package signing for Pacman. I'm > > > aware that some progress has been made and it's being worked on. > > > Are there any updat

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar wrote: > > This is the reason why we need package signing for Pacman.  I'm aware > that some progress has been made and it's being worked on.  Are there > any updates? > It's all there : http://projects.archlinux.org/users/allan/pacman.git/log/?h=

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 19:48:53 +1000 Allan McRae wrote: > >> > > > > This is the reason why we need package signing for Pacman. I'm > > aware that some progress has been made and it's being worked on. > > Are there any updates? > > > > Yes... because package signing magically fixes all upstream

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 13/06/10 19:38, Ananda Samaddar wrote: On Sun, 13 Jun 2010 09:58:38 +0200 Thomas Bächler wrote: Am 13.06.2010 02:33, schrieb Alexander Duscheleit: OTOH the original mail was meant more to alert *users* of unrealircd, the maintainer should actually already have been noticed via the bug. I

[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 09:58:38 +0200 Thomas Bächler wrote: > Am 13.06.2010 02:33, schrieb Alexander Duscheleit: > > OTOH the original mail was meant more to alert *users* of > > unrealircd, the maintainer should actually already have been > > noticed via the bug. > > In that case, it seems you cho

Re: [arch-general] Package signing

Ng Oon-Ee wrote: >> Under which circunstances would you envision the need to trust an old, >> compromised signature? >> > New install, dev for a coupl of [extra] packages has already left the > team. Having to recompile everytime a dev leaves the team is additional > (unnecessary) hassle IMO,

Re: [arch-general] Package signing

On Thu, Apr 29, 2010 at 12:40 PM, Allan McRae wrote: > Has anyone had a good look at the other implementations of package signing > (Debian, Fedora, ...) and made a summary of how they handle it? (Long email ahead, sorry...) Good idea, indeed. This is what I've found about Debian: http://www.de

Re: [arch-general] Package signing

On Thu, Apr 29, 2010 at 10:40 AM, Allan McRae wrote: > On 30/04/10 01:29, Thomas Bächler wrote: >> >> Am 29.04.2010 00:36, schrieb Linas: >>> >>> Thomas Bächler wrote: We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even mo

Re: [arch-general] Package signing

On 30/04/10 01:29, Thomas Bächler wrote: Am 29.04.2010 00:36, schrieb Linas: Thomas Bächler wrote: We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more important, revoke them in a way that signatures made before a certain date are

Re: [arch-general] Package signing

Am 29.04.2010 00:36, schrieb Linas: > Thomas Bächler wrote: >> We must have a system that allows pacman to automatically verify new >> developer keys and revoke old ones ... even more important, revoke them >> in a way that signatures made before a certain date are still accepted, >> but newer ones

Re: [arch-general] Package signing

On Wednesday 28 April 2010 16:39:53 Allan McRae wrote: > On 28/04/10 23:32, Aleksis Jauntēvs wrote: > > Hello, > > > > The idea is to implement package signing for Arch similar to rpm GPG > > package signing. > > Good to see someone interested in this. I suggest you join the > pacman-dev list wh

Re: [arch-general] Package signing

On 28 April 2010 15:37, Linas wrote: [snip] > Packages built by you -> Add your own key. [/snip] Please no, it's way too convenient to be able to do makepkg && su -c "pacman -U whatever" and not bother with keys or signing. You should be able to install unsigned packages, maybe with a confirmati

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 6:37 PM, Linas wrote: > I wrote about this topic ~1 month ago. > You don't need PKCis or distribute the keyrings themselves. GPG supports > transitive trust. > The pacman keyring would be installed by default trusting on whatever keys > a pacman root signature has signed (t

Re: [arch-general] Package signing

On Thu, 2010-04-29 at 00:36 +0200, Linas wrote: > Thomas Bächler wrote: > > We must have a system that allows pacman to automatically verify new > > developer keys and revoke old ones ... even more important, revoke them > > in a way that signatures made before a certain date are still accepted, >

Re: [arch-general] Package signing

Thomas Bächler wrote: > We must have a system that allows pacman to automatically verify new > developer keys and revoke old ones ... even more important, revoke them > in a way that signatures made before a certain date are still accepted, > but newer ones aren't. > I don't see this easily being i

Re: [arch-general] Package signing

Am 28.04.2010 19:18, schrieb Denis A. Altoé Falqueto: > I was thinking about this problem for sometime and the more complex > part is the key distribution and trusting. Now I maybe came to > something usefull. Finally, someone realizes that. The distrubution and trusting of keys is in fact the mos

Re: [arch-general] Package signing

I wrote about this topic ~1 month ago. You don't need PKCis or distribute the keyrings themselves. GPG supports transitive trust. The pacman keyring would be installed by default trusting on whatever keys a pacman root signature has signed (there could also be a different master key for community d

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 3:30 PM, Florian Pritz wrote: > On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote: >> I'm thinking about a two way signing process. The dev signs the >> package and send it to the server. The server would have a script or a >> cron job to verify if the signature is valid a

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 14:32, Denis A. Altoé Falqueto wrote: > This could > also cause problems when downloading some package that depends on a > public key that was not downloaded yet. Adding the keyring to the same rule that prompts you to upgrade pacman before anything else might make sense he

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 2:25 PM, Pierre Schmitz wrote: > On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. Altoé Falqueto > wrote: >> Hi, Allan and Aleksis. >> >> I was thinking about this problem for sometime and the more complex >> part is the key distribution and trusting. Now I maybe came to >> so

Re: [arch-general] Package signing

On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote: > I'm thinking about a two way signing process. The dev signs the > package and send it to the server. The server would have a script or a > cron job to verify if the signature is valid and is from someone > trusted [1]. If so, the original signat

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 13:18, Denis A. Altoé Falqueto wrote: > I'm thinking about a two way signing process. The dev signs the > package and send it to the server. The server would have a script or a > cron job to verify if the signature is valid and is from someone > trusted [1]. If so, the orig

Re: [arch-general] Package signing

On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. Altoé Falqueto wrote: > Hi, Allan and Aleksis. > > I was thinking about this problem for sometime and the more complex > part is the key distribution and trusting. Now I maybe came to > something usefull. > > I'm thinking about a two way signing proce

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 10:39 AM, Allan McRae wrote: > On 28/04/10 23:32, Aleksis Jauntēvs wrote: >> >> Hello, >> >> The idea is to implement package signing for Arch similar to rpm GPG >> package >> signing. > > Good to see someone interested in this.  I suggest you join the pacman-dev > list whe

Re: [arch-general] Package signing

On Wed, 2010-04-28 at 22:03 +0800, Ng Oon-Ee wrote: > On Wed, 2010-04-28 at 23:56 +1000, Allan McRae wrote: > > On 28/04/10 23:52, Ng Oon-Ee wrote: > > > On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: > > >> On 28/04/10 23:32, Aleksis Jauntēvs wrote: > > >>> Hello, > > >>> > > >>> The idea i

Re: [arch-general] Package signing

On Wed, 2010-04-28 at 23:56 +1000, Allan McRae wrote: > On 28/04/10 23:52, Ng Oon-Ee wrote: > > On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: > >> On 28/04/10 23:32, Aleksis Jauntēvs wrote: > >>> Hello, > >>> > >>> The idea is to implement package signing for Arch similar to rpm GPG > >>>

Re: [arch-general] Package signing

On 28/04/10 23:52, Ng Oon-Ee wrote: On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this. Yes, the monthly forum t

Re: [arch-general] Package signing

On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: > On 28/04/10 23:32, Aleksis Jauntēvs wrote: > > Hello, > > > > The idea is to implement package signing for Arch similar to rpm GPG package > > signing. > > Good to see someone interested in this. Yes, the monthly forum threads were a bit tir

Re: [arch-general] Package signing

On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this. I suggest you join the pacman-dev list where all discussion about pacman development occurs. There is also some co

[arch-general] Package signing

Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Short description follows. Use case for developers: 1. Dev bulds package with f.e. "-sign" switch. 2. Dev enters passphrase. 3. makepkg builds the package and creates detached signature (now we have 2

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

Myra Nelson wrote: There is one last problem with trust that no one can cure. You either trust the devs or you don't. This is illustrated by a classic quote from Ken Thompson "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies th

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

On Tue, Mar 16, 2010 at 19:06, Linas wrote: > I had already this email draft in my head, but Ananda 'Arch Linux security > is still poor' thread, on which the point was also brought up, moved me to > really write it. > > First off, there's an implicit level of trust on the package software, no > m

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

Am 17.03.2010 01:06, schrieb Linas: > There are several ways to close the gap: > *Always download the package list from ftp.archlinux.org > It's the easier solution, but it only protects against the mirror > operator. Moreover, it increases load on that server and makes it a > single point of failu

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

On 17/03/10 10:06, Linas wrote: Do you think this is a good idea? Which solution do you prefer? And most important, what would be needed to reach there? There has been discussions on the pacman-dev mailing list and is even partial implementation for package signing available. You should rese

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

On Tue, Mar 16, 2010 at 20:06, Linas wrote: > I had already this email draft in my head, but Ananda 'Arch Linux security > is still poor' thread, on which the point was also brought up, moved me to > really write it. There's a bug on the tracker about this, please contribute there. There's no poi

[arch-general] Package signing (was: Arch Linux security is still poor)

I had already this email draft in my head, but Ananda 'Arch Linux security is still poor' thread, on which the point was also brought up, moved me to really write it. First off, there's an implicit level of trust on the package software, no matter which OS you use. When using Windows, you trus