On Tue, Mar 16, 2010 at 1:24 PM, Nilesh Govindarajan <lists@xxxxxxxxxx> wrote: > On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper <jaredcasper@xxxxxxxxx> wrote: >> On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@xxxxxxxxx> wrote: >>> On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@xxxxxxxxxx> wrote: >>>> I don't think we need any security team for Arch. New packages are >>>> released within a week of their updates. GPG signing and md5sum >>>> verification is a must though. >>> >>> md5sum verification has ALWAYS been done >>> >> >> In a security context, verification of files installed by a package >> _after installation_ would be nice. i.e. "pacman --verify >> /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my >> /usr/sbin/sshd matches that of the official package. >> >> Jared >> > > Let this thread not be just another "Will be nice" one. Pacman devs, > please start implementing these package verification things. Users who want these things, please start joining the pacman dev team.
