You are not logged in.
- Topics: Active | Unanswered
#1 2009-07-06 00:01:53
- beroal
- Member
- From: Ukraine
- Registered: 2009-06-07
- Posts: 325
- Website
package deployment verification
I am wondering how package deployment is secured. As I know, pacman needs two types of files: *.db.tar.gz and *.pkg.tar.gz.
1. If *.pkg.tar.gz file differs from what is provided by maintainers, can pacman detect that? If so, is verification different for pacman's "-S" and "-U" commands?
2. If mirror's owner changes *.db.tar.gz file, can pacman detect that?
we are not condemned to write ugly code
Offline
#2 2009-07-06 00:07:18
- nogoma
- Member
- From: Cranston, RI
- Registered: 2006-03-01
- Posts: 217
Re: package deployment verification
There has been a long-standing request for packages that are cryptographically signed by trusted maintainer keys, but AFAIK this hasn't made it into pacman yet, although I believe some preliminary work has been done.
http://bugs.archlinux.org/task/5331
-nogoma
---
Code Happy, Code Ruby!
http://www.last.fm/user/nogoma/
Offline
#3 2009-07-07 07:43:44
- beroal
- Member
- From: Ukraine
- Registered: 2009-06-07
- Posts: 325
- Website
Re: package deployment verification
Thanks. I see that my topic is a duplicate so it can be deleted.
we are not condemned to write ugly code
Offline