On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs <aleksis.jauntevs@xxxxxxxxx> wrote: > On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: >> On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs >> >> <aleksis.jauntevs@xxxxxxxxx> wrote: >> > I dont think that repo.db should be signed and it is enough to sign only >> > the >> > packages. As I understand so far the only reason to sign repo.db file is >> > to >> > prevent "replay" situations in repos. >> >> It's the other way round: signing the DB is important while signing single >> packages is not (but should still be done for some reasons). >> >> If the DB is not signed I could simply add additional packages or replace >> packages. > > Yes, but if we compare the repo.db's with other mirrors then we could tell > that this has happened. seems to defeat the purpose when you have to crosscheck everything. nothing is secure unless the entire chain is secure. i'd say give devs their own private keys to sign packages, and have the build server auto sign DB's upon upload of a new package. use detached sigs and push them with the package. use detached sig for the repo, and download it with the db file. if client doesn't understand signatures, it just doesn't download/use them. i think a pacman wrapper could even implement this, as a proof of concept.
