You are not logged in.
I am wondering how package deployment is secured. As I know, pacman needs two types of files: *.db.tar.gz and *.pkg.tar.gz.
1. If *.pkg.tar.gz file differs from what is provided by maintainers, can pacman detect that? If so, is verification different for pacman's "-S" and "-U" commands?
2. If mirror's owner changes *.db.tar.gz file, can pacman detect that?
we are not condemned to write ugly code
Offline
There has been a long-standing request for packages that are cryptographically signed by trusted maintainer keys, but AFAIK this hasn't made it into pacman yet, although I believe some preliminary work has been done.
http://bugs.archlinux.org/task/5331
-nogoma
---
Code Happy, Code Ruby!
http://www.last.fm/user/nogoma/
Offline
Thanks. I see that my topic is a duplicate so it can be deleted.
we are not condemned to write ugly code
Offline