You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2017-04-01 02:53:36
- wh00
- Member
- Registered: 2016-03-24
- Posts: 20
Questions about Arch's package signing
After casually using aur for a while and not giving a second though about the package signing system, I decided to start digging into it a bit, and ended up with some unanswered questions about both aur and the official repos.
So from my understanding, when we download and install packages from aur, we implicitly trust that package. That's why it's okay for there to be sources that are not signed, and one of the reasons why it's recommended to always check the PKGBUILD before running makepkg.
If that package had a signed source, we implicitly trust the PKGBUILD with its validpgpkeys field, instead of explicitly trusting the packager by having him/her sign it.
So my question is that the trust model for aur is that we're just implicitly trusting that single package? And some sources happen to care more about authentication than others? I've just never looking into it as in depth before.
As for the official repos, why are the databases signed? I read in Package_signing that it's okay to require signing on all the packages in the official repos, but the databases across all the default mirrors aren't signed, so to keep that as optional. But if you know that the packages are going to be signed, why does it matter if the databases aren't? Is it just an extra layer of security? The only reason I could come up with is a rogue mirror that intentionally hosts old packages with unpatched vulnerabilities. Maybe I have the concepts of mirrors and databases mixed up.
Last question is why "optional" is the default SigLevel value? I get that it's not "default" in the vanilla pacman.conf, but I'd figure it makes sense to go the other way. Make it more secure by default, and let the user make it less secure by modifying the conf file.
Offline
#2 2017-04-01 03:08:10
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 11,544
Re: Questions about Arch's package signing
There are no packages in the AUR. You keep mentioning the packager, but when using the AUR, YOU are the packager.
You already answered your own question about database signing, it's to ensure the mirror or someone doing MITM doesn't mess with it. It's not used right now because nobody has come up with a good way to do it that fits with Arch's workflow.
Pacman is not Arch specific. Defaulting to "optional" makes sense for the upstream project, and Arch changes it to "required" in the default pacman.conf.
Last edited by Scimmia (2017-04-01 03:15:01)
Offline
Pages: 1