>How exactly is core and extra database populated? > Moreover, instead of building all packages in the private PCs of developers Packages are not build on developers computers but on build machines as explained here http://wiki.archlinux.org/index.php/Pacbuild <http://wiki.archlinux.org/index.php/Pacbuild>There is also an implementation of package signing in pacman on the link Xavier provided some emails up on this conversation. I don't think there is any need to re-think it all. Just need to be tested. I am currently trying to set up a build system on my box and will then try to use these patches to provide feedback. On 15 June 2010 15:57, Dimitrios Apostolou <jimis@xxxxxxx> wrote: > On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: > >> And keep in mind that package signing per se will not solve this kind >> of problems. Repository database signing is more important for that >> solution, but is a problem in the current workflow of Arch developers. >> > > How exactly is core and extra database populated? > > Moreover, instead of building all packages in the private PCs of > developers, I think it is preferable to submit PKGBUILDs to build servers > (via web interface maybe) and let the servers do the build + signing + > repoupdate... That way if a developer's system gets compromised his packages > will stay clean. Of course that needs extra work and equipment, but perhaps > we can agree to it as a future target. > > On another note, an easy but maybe a bit costly way to avoid any MITM > tampering to packages, is serve *.md5 files for every package through a > trusted HTTPS host. Then everyone can query that single host and check if > the package he got from a mirror is safe. > > Costs: A little more traffic by serving hash files to everyone plus the > cost of the certificate from a CA. Is the income Arch receives from ads and > schwag enough for such a simple solution? > > > Dimitris >
