On 03/16/2010 07:24 PM, Nilesh Govindarajan wrote:
On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper<jaredcasper@xxxxxxxxx> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin<aaronmgriffin@xxxxxxxxx> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan<lists@xxxxxxxxxx> wrote:
I don't think we need any security team for Arch. New packages are
released within a week of their updates. GPG signing and md5sum
verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package
_after installation_ would be nice. i.e. "pacman --verify
/usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my
/usr/sbin/sshd matches that of the official package.
Jared
Let this thread not be just another "Will be nice" one. Pacman devs,
please start implementing these package verification things.
sudo make me a sandwich.
--
Ionut
