-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 04:27 PM, Daniel Wallace wrote: > So you're saying... blindly trusting someone else that is unknown > to build and blindly sign a package is more secure than you > downloading the pkgbuild with cower or something, looking at the > PKGBUILD, and then using makepkg... > > How is that? No, that person has to be trusted not to actively sign malicious binaries of their own creation and to keep their private key secret. I'm saying: A single trusted person blindly building and singing packages is more secure than everyone blindly building and signing packages. It's a single opportunity for attack on everyone versus an opportunity for an attack each time a user installs a package from the AUR. The former is more detectable after-the-fact (thus much less likely to be done by an intelligence agency like the NSA) and can be done in a safer environment (cable internet connection in the USA vs. a WiFi hotspot in Syria). The process could also involve grabbing the files (or hashes) through different Tor exit nodes and comparing them to make sure they're all the same, and there's no attacker messing with the local Internet connection. > > Second, where do you propose the computing time and the storage > space comes from to support this kind of repository? > Would it really be that much? How do other distributions manage it? - -Taylor - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSH6qAAoJEN+oIJzpZ41dEiEP/i2/galkxDm6TLC4PZW+E8Qd vPmnZ4hfgLbeK7Xwj6Wj7mS23T+RmydQTkLjaxJtsnmTF4zU5JNaHhz/bKyp1OKf eoWQeCJWQqEEDnLhN0M1jYif85VT14ZEVLcuTsRmG8+AM6rJQ75kM9KiSN8GzXr4 yzlsxiHIWj6i8s/myl2zOj+WVmat18Ia/6971Jf0kWKKXn1gKz69EtJpvQPpQMas DmQqlgVVpNtrOUwmai0JcJbgDe5CMUCKhtHfcWASaGlGFbx4epe49YRdOTupj3BZ e7Xt31Dd6f5Pbb3uMFaYv1CnTtysjWvDJMMa0jt/izHggmOsaDTf7cEDAOu5tDmO nGC3L5InWIIHMeH/EA+ct29OaXmIqLZg/pvlOgL/vhSNLhFVbNaeZhSeiuWuAccK ktT4I/z5n+FuDpi8iIJbdBgAevSDpW5e5iWh9T4vzXtddWXrJQlbvOiYAM5FmTgN Hyz0VKQD2ge7gIA0rXRdLCOoHX11mO0K6KKgDj8t/Ty6FR2wr4WF6cn7rZUsen4s Cl0Hdaz06wx9fF6S3Vae4bpZxAIDvz/bfaOSxDWlDCdgryx++aKIQwW3tHtn1+zu Ux7Urd9ccTOFMwStMPOLQnpfoo1f1MlDPtFvvbA3klCFMDTkCHBTFv9yofr16FtW VU48Tf5CZaUzggKll0x6 =/UiM -----END PGP SIGNATURE-----
