On Mon, Dec 8, 2008 at 7:00 AM, Teran McKinney <[EMAIL PROTECTED]> wrote: > I like the idea of GPG signed repositories, but they are just about > useless if they are signing MD5s. MD5 is very insecure, but good for > normal file integrity checking. Can Pacman use SHA-256 or similiar? > Another thing to watch out for is malicious publication of old > repositories with old and vulnerable packages that have the force > option set. I've thought briefly on how to circumvent this, but not > enough to have a method I would purpose.
I think you misunderstood completely- try reading this first: http://archlinux.org/pipermail/arch-dev-public/2008-December/009244.html We sign *packages*, not repositories. Will this damn thing about MD5 please die? "Fixing" that still fixes nothing, and I'll pay one million USD to someone that can actually forge a package with a given MD5. I believe I addressed the old repositories question there as well- we will eventually have to sign databases too. A lot of thought was done in this report: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ -Dan _______________________________________________ pacman-dev mailing list pacman-dev@archlinux.org http://archlinux.org/mailman/listinfo/pacman-dev
