I like the idea of GPG signed repositories, but they are just about useless if they are signing MD5s. MD5 is very insecure, but good for normal file integrity checking. Can Pacman use SHA-256 or similiar? Another thing to watch out for is malicious publication of old repositories with old and vulnerable packages that have the force option set. I've thought briefly on how to circumvent this, but not enough to have a method I would purpose.
Thanks, Teran On Mon, Dec 8, 2008 at 12:34, Dan McGee <[EMAIL PROTECTED]> wrote: > On Mon, Dec 8, 2008 at 4:55 AM, Gerhard Brauer <[EMAIL PROTECTED]> wrote: >> Am Sun, 7 Dec 2008 15:18:32 -0600 >> schrieb "Dan McGee" <[EMAIL PROTECTED]>: >> >>> I did quite a bit more work with GPG today. I wrapped my head around >>> GPGME, which presents a nice C interface to the GPG stuff so we are >>> now a lot closer to a working implementation: >>> http://code.toofishes.net/gitweb.cgi?p=pacman.git;a=shortlog;h=refs/heads/newgpg >>> >>> >From the script side of things, I didn't change much. The libalpm >>> >code >>> has changed considerably, and there is still a lot of room for >>> improvement. Let me know if you guys have questions. >> >> With heads/newgpg pacman doesn't check or find the .sig Files. If >> starting with --debug i got these debug messages: >> >> debug: md5(/var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz) >> =79777684f62164 934a1264df66b8fdc6 >> debug: returning error 35 from gpgme_init : signature directory not >> configured correctly >> debug: installing packages >> debug: found cached pkg: /var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz >> debug: loading target '/var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz' >> debug: no package signature file found >> >> Where or what have i to configure as the "gpgme_init : signature directory"? >> My public key is in /root/.gnupg/pubring.gpg. I tried it also with >> /tmp/testing.gpg but the same error. >> AFAI could read the code this may belongs to commit: >> http://code.toofishes.net/gitweb.cgi?p=pacman.git;a=commit;h=1a286336147c7d3af42041d26205b9ca3980f459 >> I see a prog gpgme-config, but don't see what i could do with ;-) >> >> Help ;-) > > I didn't promise this worked out of the box- I just meant that it was > a better start than the other code. You're either going to have to > know C and understand what is going on (and fix it), or wait for it to > be in a better state of completion. > > -Dan > _______________________________________________ > pacman-dev mailing list > pacman-dev@archlinux.org > http://archlinux.org/mailman/listinfo/pacman-dev > _______________________________________________ pacman-dev mailing list pacman-dev@archlinux.org http://archlinux.org/mailman/listinfo/pacman-dev
