On Mon, Dec 8, 2008 at 7:08 AM, Dan McGee <[EMAIL PROTECTED]> wrote: > On Mon, Dec 8, 2008 at 7:00 AM, Teran McKinney <[EMAIL PROTECTED]> wrote: >> I like the idea of GPG signed repositories, but they are just about >> useless if they are signing MD5s. MD5 is very insecure, but good for >> normal file integrity checking. Can Pacman use SHA-256 or similiar? >> Another thing to watch out for is malicious publication of old >> repositories with old and vulnerable packages that have the force >> option set. I've thought briefly on how to circumvent this, but not >> enough to have a method I would purpose. > > I think you misunderstood completely- try reading this first: > http://archlinux.org/pipermail/arch-dev-public/2008-December/009244.html
And sorry about this- I thought I had cross-posted this message to this list, so now I see why it maybe wasn't clear the route we were taking. Let me know if you have questions. -Dan _______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
