On 01/31/2010 08:31 PM, Ananda Samaddar wrote:
I really like Arch. I switched about a year ago after being a Debian user for nine years. There is something that troubles me though about Arch. Its lack of security focus. By this I mean there is no consistent way that security issues are dealt with. There was a proposal for 'The Arch Linux Security Team' but it seems to have fallen by the wayside[1]. I propose to resurrect this in the spirit of Arch's users becoming contributors. I, hopefully not alone wish to draw up a list of processes that can be used to create a dedicated Arch Linux security team that can deal quickly and efficiently with security alerts. It would need to be able to liaise successfully with Arch developers and hopefully over time security team members can become trusted users. I'm mentioning it now as I notice that an Arch Conference is being organised in Canada. One of my proposals (shamefully stolen from Debian) would be to have key-signing parties at Arch Linux meet-ups. This could then be used to create an Arch Linux web of trust. So basically I'm going to get my ideas into writing and post them on this list. I hope others will be willing to come forward and contribute too. After some discussion we should be able to reach a consensus and start giving security issues the priority they deserve. regards, Ananda Samaddar [1] http://wiki.archlinux.org/index.php/Security_Task_Force
Key signing is not required for us I think. Because Arch people are the first to release package updates. It is tested properly and is given in .tar.gz archives. Even if a byte is altered in the archive then its md5sum would change so pacman will complain.
-- Nilesh Govindarajan Site & Server Adminstrator www.itech7.com
