Re: [arch-dev-public] Can we trust our mirrors?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Aaron Griffin schrieb:

I think we're confusing things here. The checksums in pacman are only
used for integrity, not security. I agree that the first step towards
super-omg-secure packages would be switching to a different checksum,
but sha1 might be deemed insecure soon too. Why not jump over that one
to something like sha256?
Once you sign the repo db file, the checksums are signed as well, so you cannot change the checksum without invalidating the db signature. If you would use a secure hash function, this adds a good layer of security (except for the trust issue).

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux