You are not logged in.
- Topics: Active | Unanswered
#1 2024-05-29 09:28:59
- magnicu
- Member
- Registered: 2024-05-25
- Posts: 18
Why/how can we trust official arch mirrors?
This may be a bit of a stupid question, but how can one trust other official arch mirror servers? If it's related to cryptography-keys, where and how do I manage/validate/update the keys and the packages?
Offline
#2 2024-05-29 09:46:12
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,688
Re: Why/how can we trust official arch mirrors?
Partial answer: https://wiki.archlinux.org/title/Pacman/Package_signing
Offline
#3 2024-05-29 12:29:39
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,456
- Website
Re: Why/how can we trust official arch mirrors?
Trust them to do / not do what exactly?
I don't trust them. Trust is irrelevant if the packages are signed.
A malicious actor running a mirror could certainly slow down my updates, but this would soon be discovered and their mirror replaced by a better functioning one. But it'd be hard for a malicious mirror operator to actually do anything to harm or compromise my system - so I don't need to trust them.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#4 2024-05-29 13:08:41
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,672
- Website
Re: Why/how can we trust official arch mirrors?
I don't trust them. Trust is irrelevant if the packages are signed.
There are so many easy compromises with unsigned databases....
Offline
#5 2024-05-30 08:10:41
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,688
Re: Why/how can we trust official arch mirrors?
I'm not even sure we've understood the question. What is an official arch mirror server in this context?
Offline