On Wednesday, February 5, 2020 3:55 AM, Eli Schwartz via arch-general
wrote:
> On 2/2/20 4:59 PM, Christopher W. via arch-general wrote:
>
> > Hi. The wiki states that database signatures for pacman are currently
> > a work in progress. It's been that way for a long time, so I assume
> > there is
On Wednesday, February 5, 2020 3:55 AM, Eli Schwartz via arch-
> As Levente said, this is supported by pacman, but not by Arch Linux --
> and the reason for the latter is that it is complicated to come up with
> a signing scheme which everyone is happy with. It needs to support
> remote server sign
On 2/2/20 4:59 PM, Christopher W. via arch-general wrote:
> Hi. The wiki states that database signatures for pacman are currently
> a work in progress. It's been that way for a long time, so I assume
> there is no "progress" happening. What is currently in the way of this
> much-needed security fea
Could a tempfile be used or the file name from the URL instead of the
content disposition? At least prior to signature verification? Seems this
could still be "exploited" by specifying a file name of another source in
the package perhaps? Makes me wonder about the ::dest suffix of sources
albeit th
On 2/2/20 10:59 PM, Christopher W. via arch-general wrote:
> Hi. The wiki states that database signatures for pacman are currently
> a work in progress. It's been that way for a long time, so I assume
> there is no "progress" happening. What is currently in the way of this
> much-needed security fe
Hi. The wiki states that database signatures for pacman are currently
a work in progress. It's been that way for a long time, so I assume
there is no "progress" happening. What is currently in the way of this
much-needed security feature to be fully implemented?
Right now, pacman is taking untrust
6 matches
Mail list logo
