You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2008-06-19 07:09:46
- tomten
- Member
- Registered: 2008-06-19
- Posts: 4
Pacman and security
A better packet system with security.
Twoday all mirrors distrubute a file with all checksums for the mirror, witch can be used to werify that the packet isent corupted in transfer. The security problem her is that if a packet is replaced, whith a backdoord version, on the mirror the checksum file can be replaced to, whitch means that the client will install the corupted packet without any warnings.
So how do we solve this?
Well, one solution whud be to digitaly signe the packet list with a private key (PGP) and then decrypt it with a public key thats not from the mirror. If we do this then we can garentue that all packets is the same as when it was distrubuted to the mirror, and that the packet hasent been corupted in transfer.
Distrubution of the public key.
Ther is multipel ways of distrubution the public key for the packet list, but what's important is to NOT distrubute it thrue the mirrors. If one mirror is compromesed then the key cude be replaced.
One way to distrubute it is to staticly compile it into pacman, this whud make it mutch secure, but its not werry practical. For example, if we want to replace the key, we must upgrade all pacman binarys.
The second way is to distrubute it thrue the homepage and let all users get it from ther.
We nead security in a packet system, especaly when the dist is growing.
This is just a ide, think on it!
PS. Sorry for my bad spelling DS.
Offline
#2 2008-06-19 07:19:18
- bangkok_manouel
- Member
- From: indicates a starting point
- Registered: 2005-02-07
- Posts: 1,554
Re: Pacman and security
This has been discussed on pacman-dev ML early june if you want more info.
All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.
Offline
#3 2008-06-19 09:01:24
- tomten
- Member
- Registered: 2008-06-19
- Posts: 4
Re: Pacman and security
This has been discussed on pacman-dev ML early june if you want more info.
Nice, wher do i signe up for this list?
Offline
#4 2008-06-19 09:13:04
- bangkok_manouel
- Member
- From: indicates a starting point
- Registered: 2005-02-07
- Posts: 1,554
Re: Pacman and security
bangkok_manouel wrote:This has been discussed on pacman-dev ML early june if you want more info.
Nice, wher do i signe up for this list?
http://archlinux.org/mailman/listinfo/pacman-dev
see here for the gpg related threads:
http://archlinux.org/pipermail/pacman-d … /date.html
All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.
Offline
#5 2008-06-19 09:35:08
- iphitus
- Forum Fellow
- From: Melbourne, Australia
- Registered: 2004-10-09
- Posts: 4,927
Re: Pacman and security
This has been discussed, the response is the same.
There's no hurry or concern, patches are welcome.
Offline
Pages: 1