On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper <jaredcasper@xxxxxxxxx> wrote: > On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@xxxxxxxxx> wrote: >> On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@xxxxxxxxxx> wrote: >>> I don't think we need any security team for Arch. New packages are >>> released within a week of their updates. GPG signing and md5sum >>> verification is a must though. >> >> md5sum verification has ALWAYS been done >> > > In a security context, verification of files installed by a package > _after installation_ would be nice. i.e. "pacman --verify > /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my > /usr/sbin/sshd matches that of the official package. > > Jared > Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things. -- Nilesh Govindarajan Site & Server Administrator www.itech7.com