On 02/04/14 01:00 PM, Daniel Micay wrote: > On 02/04/14 12:47 PM, Nowaker wrote: >>> There may be a transparent proxy in your routing chain that strips >>> compression in order to run a virus scan. >> >> Time for SSL-securing Arch Linux repos to prevent any sort of >> man-in-the-middle attacks? Even such trivial things like compression >> stripping, or image optimization often performed by mobile internet >> providers is a man-in-the-middle. This should be fought by any means. > > Packages are already signed, and pacman has support for signing the > repositories. Using TLS for repositories is close to useless because the > mirrors are not *really* trusted entities, and the CA system is a broken > alternative to the solid archlinux-keyring package. We aren't actually signing the sync databases yet, but should be. Even if it means using a low-trust key on the servers, it would need to be treated differently than the package signing keys if it was a lower trust level though, because it shouldn't be able to sign packages.
Attachment:
signature.asc
Description: OpenPGP digital signature
