On 20 July 2011 11:06, Lukas Fleischer <suckl...@cryptocrack.de> wrote: > pacman 4.0.0 will support package signatures and we'll sign all packages > in the official repos ([core], [extra], [community]) soon.
Debian IIRC just signs the package lists (including checksums) in practice, which is fine. I hope there isn't going to be a .sig for every .pkg.xz because that would suck. Still this is besides the point. We were trying to work out how suckless delivers the package, not Arch. So to be getting back to the point, I would like to know how Arch can securely make sure it's downloading the correct package. I know it has the md5 construct in the PKGBUILD which I am not that keen about since it's manual, breaks often and sucks etc.