Am Sat, 29 Nov 2008 15:00:20 +0100 schrieb Thomas Bächler <thomas@xxxxxxxxxxxxx>: > Pierre Schmitz schrieb: > > The simplest solution would be if we sign the db files > > (automatically) on gerolde. Of course this is less secure than > > signing every single package by its packager; but on the other side > > it would be easy to implement and there would be no overhead for > > packagers. > > If this is to provide any security, we need to stop using md5! md5 is > okay when trying to detect corrupted downloads, however it is > possible to find collisions and thus build a "bad" package that has > the same md5 as the good package. For myself i don't accept the "md5sum is bad" argument as a "stopper" for each idea to provide a pacman secure concept ;-) Current situation is: Everyone who offers a mirror could provide a manipulated pacman or bash package. He could reduce the content of a binaray to a simple rm -rf, fdisk or something. He only has to tar "his" package and edit the core.db.tar,gz If we sign our db files as a minimum! security: This would make package manipulating more difficult. Content changes of pacman or bash packages (*.pkg.tar.gz) with getting the same md5sum or sha checksum is surely not impossible - but much more difficult as in our current situation. So let's mak a first step! Gerhard >
