On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote: > On Sun, 13 Jun 2010 19:48:53 +1000 > Allan McRae <allan@xxxxxxxxxxxxx> wrote: > > > >> > > > > > > This is the reason why we need package signing for Pacman. I'm > > > aware that some progress has been made and it's being worked on. > > > Are there any updates? > > > > > > > Yes... because package signing magically fixes all upstream issues. > > > > Allan > > My point was that malicious attackers can add compromise packages to > mirrors and alter the repo.db. Package signing would mitigate that. I > was attempting to say that what happened in this instance could happen > to an Arch mirror or mirrors. There's no need to be rude. > Everytime this comes up the response is the same. Package signing will only be a big deal if enough people are willing to get coding to implement it. Necessity is determined by availability, not the other way round. The way I see it, if noone is willing to work on it, it can't be too important in a general sense.
