Am 17.03.2010 01:06, schrieb Linas:
> There are several ways to close the gap:
> *Always download the package list from ftp.archlinux.org
> It's the easier solution, but it only protects against the mirror
> operator. Moreover, it increases load on that server and makes it a
> single point of failure.

ftp.archlinux.org is yet another mirror ... a very slow one.

> *Package lists are signed from a trusted master key. There may be up to
> a key per repo.
> Easy to provide, allows backward compatibility.

Signing databases would work if we had another hash than md5 for packages.

> *Packages are automatically signed by ftp.archlinux.org before
> distributing them.

Hmm, see above.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to