Am 17.03.2010 01:06, schrieb Linas: > There are several ways to close the gap: > *Always download the package list from ftp.archlinux.org > It's the easier solution, but it only protects against the mirror > operator. Moreover, it increases load on that server and makes it a > single point of failure. ftp.archlinux.org is yet another mirror ... a very slow one. > *Package lists are signed from a trusted master key. There may be up to > a key per repo. > Easy to provide, allows backward compatibility. Signing databases would work if we had another hash than md5 for packages. > *Packages are automatically signed by ftp.archlinux.org before > distributing them. Hmm, see above.
Attachment:
signature.asc
Description: OpenPGP digital signature
