2014/1/12 Taylor Hornby <havoc@xxxxxxxxx> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2014 01:56 PM, Kyle Terrien wrote: > > On 01/12/2014 12:40 PM, Taylor Hornby wrote: > >>> I guess I just don't understand what happens when I type > >>> "pacman -S firefox." Does that run the PKGBUILD on my system, > >>> or does it download and install pre-compiled (and signed) > >>> Firefox binaries that were created by one of the Arch > >>> developers using the PKGBUILD? > > "pacman -S firefox" installs a pre-compiled binary maintained by an > > Arch Dev. On the other hand, PKGBUILDs are for building packages. > > > > And the official firefox package is cryptographically signed by > > the package maintainer (not Mozilla). > > > > Hopefully, that clears things up. > > Thank you, that makes so much more sense! > > So, really, the vulnerability only exists while the Arch dev (or > package maintainer or whatever they're called) is building the > package. Once they do, and sign it, all Arch users will verify their > signature to make sure they get the same file the Arch dev created. > > That's not so bad, then, since you can't really do any better unless > the upstream source (Mozilla) signs their files, and the package > maintainer has their public key. > > I think this could yet be a problem if the sys admin wants to build all of it's system. Then he will fall into the same problem with the AUR PKGBUILDs, or am i wrong?
