Pacman Security Question

tntcoda · 2008-08-14 15:28:32

Hi,

I was just wondering if Pacman is ever likely to have more security built into it? Specfically I mean a way to garentee that packages which are updated from a mirror are legitimate in origin. Maybe some kind of digital certificate signing of packages?

Say for example, your DNS was compromised, and thus you cannot trust the mirror pacman is using, a malicious 3rd party can now issue an update that would be installed by root, giving potential full control of a box.

Is anything likely to be added to combat this kind of attack? Or is there already something in place ive missed?

Thanks,

Jack

muczyjoe · 2008-08-14 15:33:17

I'm interested too. Devs?

Allan · 2008-08-14 15:38:05

There is a bug report about it (http://bugs.archlinux.org/task/5331) and a start has been made on adding package signing to makepkg/pacman (http://code.toofishes.net/gitweb.cgi?p= … /heads/gpg) although I'm not sure how complete it is.

skottish · 2008-08-14 15:38:07

There has been discussion about this recently:

http://bbs.archlinux.org/viewtopic.php?id=51570

tntcoda · 2008-08-14 15:44:43

Interesting thanks guys, will have a read through them

toofishes · 2008-08-14 22:26:02

There has been a lot of talk and little action on this front. Feel free to come join us on the pacman-dev mailing list to discuss and contribute, but none of the current developers are really interested in making it happen.

Arch Linux

#1 2008-08-14 15:28:32

Pacman Security Question

#2 2008-08-14 15:33:17

Re: Pacman Security Question

#3 2008-08-14 15:38:05

Re: Pacman Security Question

#4 2008-08-14 15:38:07

Re: Pacman Security Question

#5 2008-08-14 15:44:43

Re: Pacman Security Question

#6 2008-08-14 22:26:02

Re: Pacman Security Question

Board footer