On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
And keep in mind that package signing per se will not solve this kind
of problems. Repository database signing is more important for that
solution, but is a problem in the current workflow of Arch developers.
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers, I think it is preferable to submit PKGBUILDs to build servers
(via web interface maybe) and let the servers do the build + signing +
repoupdate... That way if a developer's system gets compromised his
packages will stay clean. Of course that needs extra work and equipment,
but perhaps we can agree to it as a future target.
On another note, an easy but maybe a bit costly way to avoid any MITM
tampering to packages, is serve *.md5 files for every package through a
trusted HTTPS host. Then everyone can query that single host and check
if the package he got from a mirror is safe.
Costs: A little more traffic by serving hash files to everyone plus the
cost of the certificate from a CA. Is the income Arch receives from
ads and schwag enough for such a simple solution?
Dimitris