You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2012-03-09 00:53:13
- llg179
- Member
- Registered: 2012-03-04
- Posts: 12
questions related to pacman 4 security
Hello,
Pacman 4 introduces package signing with web of trust. This aims to ensure that binaries are not altered after trusted developer builds that.
How do you ensure the same with the source? ABS uses svn? why not git?
Thanks,
Offline
#2 2012-03-09 01:45:25
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,600
- Website
Re: questions related to pacman 4 security
The PKGBUILD uses md5 or shaxxx sums. https://wiki.archlinux.org/index.php/PKGBUILD#md5sums
Last edited by graysky (2012-03-09 01:46:05)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2012-03-09 02:11:48
- karol
- Archivist
- Registered: 2009-05-06
- Posts: 25,440
Re: questions related to pacman 4 security
Are you sure abs uses svn?
Offline
#4 2012-03-09 07:22:53
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 19,804
Re: questions related to pacman 4 security
You can use git. Example: http://aur.archlinux.org/packages/st/st … t/PKGBUILD
You can use hg. Example: http://aur.archlinux.org/packages/ac/acr-hg/PKGBUILD
You can use svn. Example: http://aur.archlinux.org/packages/ai/ai … n/PKGBUILD
You can use http or ftp: Example: https://wiki.archlinux.org/index.php/PKGBUILD#source
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#5 2012-03-09 08:41:47
- llg179
- Member
- Registered: 2012-03-04
- Posts: 12
Re: questions related to pacman 4 security
Can you please pass a link to a proper guide how the source code is managed? I feel that pacman4's signature system does not appear on source level however my feeling might be wrong. Md5sum is nice I did not recognise that, thank you however changing "the master" md5sum is not a challange after a "malicious" code update.
Last edited by llg179 (2012-03-09 08:45:06)
Offline
#6 2012-03-09 08:51:46
- wonder
- Developer
- From: Bucharest, Romania
- Registered: 2006-07-05
- Posts: 5,941
- Website
Re: questions related to pacman 4 security
Hello,
Pacman 4 introduces package signing with web of trust. This aims to ensure that binaries are not altered after trusted developer builds that.
How do you ensure the same with the source? ABS uses svn? why not git?Thanks,
abs uses rsync and users get a snapshot generated from svn from our server. i know that you can sign releases in git but git doesn't suite our way of doing packaging.
Give what you have. To someone, it may be better than you dare to think.
Offline
#7 2012-03-09 09:07:22
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,404
- Website
Re: questions related to pacman 4 security
The PKGBUILD can verify the upstream source using PGP signatures. e.g.
source=(ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz{,.sig})
But I am still not sure what your question is? Are you concerned that when you build from source that the PKGBUILD from ABS might have changed?
Offline
#8 2012-03-09 15:32:48
- Mr.Elendig
- #archlinux@freenode channel op
- From: The intertubes
- Registered: 2004-11-07
- Posts: 4,092
Re: questions related to pacman 4 security
If you are paranoid about the PKGBUILD, .install files etc themself being changed... Well, you should always read those anyway before you issue makepkg anyway.
Last edited by Mr.Elendig (2012-03-09 15:33:04)
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
Pages: 1