On Sun, Jul 27, 2014 at 11:29 AM, Manuel Reimer <[email protected]> wrote: > Hello, > > most up-to-date Linux distributions have switched to package signing. > > This way it is no problem if someone abuses security holes on package > mirrors to place manipulated packages. It also helps to prevent "man in the > middle attacks" where someone in the same network overrides the original > server to inject bad packages. > > The package manager, used by OpenWRT, has the ability to sign packages. For > some unknown reason this is not used by OpenWRT.
Most linux distributions are not constrained by very limited flash space. Currently OpenWrt requires 4 MiB flash (and this is already the bare minimum, with leaving not a lot of free space to use), but if we start to include SSL support and/or signed packages, the image size will definitely grow too large for those devices, making it unusable on quite a lot of popular cheap devices. > Is there any plan to sign your packages? When do you plan to do so? So currently there are no plans to do so. Jonas _______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
