Thomas B
> perhaps i missed something, but wouldn´t be the easiest way to download
> the db.tar.gz directly from ftp.archlinux.org or another trusted server
> and the packages from the mirrors? something like a decentralized system.
sorry. i wasn´t very explicit in my previous mail.
my idea is this:
first
Am So, 30.11.2008, 00:24, schrieb Aaron Griffin:
> All we'd need is to patch repo-add to include signature data in the
> DB. To do this properly, signatures should be uploaded with the
> package itself, from the packager's machine... hmmm
>
perhaps i missed something, but wouldn´t be the easiest w
Aaron Griffin schrieb:
I think we're confusing things here. The checksums in pacman are only
used for integrity, not security. I agree that the first step towards
super-omg-secure packages would be switching to a different checksum,
but sha1 might be deemed insecure soon too. Why not jump over th
Am Sun, 30 Nov 2008 01:20:13 +0100
schrieb Gerhard Brauer <[EMAIL PROTECTED]>:
> Am Sat, 29 Nov 2008 17:24:19 -0600
> schrieb "Aaron Griffin" <[EMAIL PROTECTED]>:
> >
> > All we'd need is to patch repo-add to include signature data in the
> > DB. To do this properly, signatures should be uploaded
Am Sat, 29 Nov 2008 17:24:19 -0600
schrieb "Aaron Griffin" <[EMAIL PROTECTED]>:
>
> I talked to Dan about this briefly the other day. What we concluded
> was that the most proper and secure way to do this is as follows:
> * gerolde hosts a "developer keyring"
> * developers sign their individual p
On Sat, Nov 29, 2008 at 8:37 AM, Thomas Bächler <[EMAIL PROTECTED]> wrote:
> Gerhard Brauer schrieb:
>>
>> For myself i don't accept the "md5sum is bad" argument as a "stopper"
>> for each idea to provide a pacman secure concept ;-)
>
> I wasn't going to stop you. Signed db files are an important f
Is there a way to get the abs build files for kde 3.5.9?
Is the svn repos tagged at 3.5.9 ?
If so how?
I would like to build them for a new computer of mine that has an old graphocs
card and cpu.
Hi guys, new kernel adresses the following things:
- bump to latest version
please signoff for both arches,
greetings
tpowa
--
Tobias Powalowski
Archlinux Developer & Package Maintainer (tpowa)
http://www.archlinux.org
[EMAIL PROTECTED]
signature.asc
Description: This is a digitally signe
Gerhard Brauer schrieb:
For myself i don't accept the "md5sum is bad" argument as a "stopper"
for each idea to provide a pacman secure concept ;-)
I wasn't going to stop you. Signed db files are an important first step.
My point is that it was often suggested to move from md5 to something
mor
Am Sat, 29 Nov 2008 15:00:20 +0100
schrieb Thomas Bächler <[EMAIL PROTECTED]>:
> Pierre Schmitz schrieb:
> > The simplest solution would be if we sign the db files
> > (automatically) on gerolde. Of course this is less secure than
> > signing every single package by its packager; but on the other
11 matches
Mail list logo
