You are not logged in.
Pages: 1
Hello.
Topic says it all. Are the packages downloaded from the arch repository signed to prevent DNS spoofing and so on?
Regards,
Linus Johansson
Last edited by nullvoid (2009-03-14 18:24:56)
Offline
No. This has been discussed many times. If you are so worried about this, write the code to support it yourself. Search the forums for more information.
Offline
At one point I think there was a branch of pacman development working on this but I'm not sure if it's still active or not. As SamC said, there have been many discussions about this in the past but it always comes down to the fact that no one has stepped up with an implementation (at that point).
archlinux - please read this and this — twice — then ask questions.
--
http://rsontech.net | http://github.com/rson
Offline
Thanks for the quick reply. I really have no idea about the internals of pacman. It should not be too hard to make it support https using openssl.
Anyways, I will simply tunnel FTP over an SSH connection for now, so I can use my arch box on a hostile network.
Offline
Isn't this an idea for a GSoC project - to get all packages GPG signed?
Offline
Thanks for the quick reply. I really have no idea about the internals of pacman. It should not be too hard to make it support https using openssl.
Anyways, I will simply tunnel FTP over an SSH connection for now, so I can use my arch box on a hostile network.
That does not help much because the main problem is that you cannot trust the mirrors. So gpg signing is the only solution.
Offline
nullvoid wrote:Thanks for the quick reply. I really have no idea about the internals of pacman. It should not be too hard to make it support https using openssl.
Anyways, I will simply tunnel FTP over an SSH connection for now, so I can use my arch box on a hostile network.
That does not help much because the main problem is that you cannot trust the mirrors. So gpg signing is the only solution.
Correct, but I do however trust the mirrors, my problem is that I will run Arch on a hostile network so I can't really make sure it's really the mirror I am talking to. But GPG signing would be even better.
Offline
At one point I think there was a branch of pacman development working on this but I'm not sure if it's still active or not. As SamC said, there have been many discussions about this in the past but it always comes down to the fact that no one has stepped up with an implementation (at that point).
Yes, there is this branch: http://code.toofishes.net/cgit/dan/pacm … /?h=newgpg
Which along with these patches (may need fixing...) makes a good start:
http://archlinux.org/pipermail/pacman-d … 07808.html
http://archlinux.org/pipermail/pacman-d … 07836.html
http://archlinux.org/pipermail/pacman-d … 07837.html
Isn't this an idea for a GSoC project - to get all packages GPG signed?
It would, but you require a mentor with time...
Offline
Topic says it all.
Topic actually says "packets"
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Pages: 1