Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On Tue, Nov 01, 2016 at 03:59:28AM +0100, Lukas Rose wrote: > > On 01 Nov 2016, at 00:35, Leonid Isaev > > wrote: > > > > Well, my mentality is that authenticating plain-text data is usually not > > necessary because a user can always inspect it > > You just

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

> On 01 Nov 2016, at 00:35, Leonid Isaev wrote: > > Well, my mentality is that authenticating plain-text data is usually not > necessary because a user can always inspect it You just can't reliably inspect plain text install data, unless you spend an awful lot

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 10/31/2016 07:35 PM, Leonid Isaev wrote: > Regarding checksums, how did a dev know that upstream sources are authentic? Personally, I check the upstream sources of stuff I publish to the AUR. I maintain an additional *-git package for anything that makes sense that way, so it is easy to

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 01/11/16 03:14, Bennett Piater wrote: > On 10/31/2016 06:04 PM, Levente Polyak wrote: >> On the other side we have a dev/TU authenticating the buildscript. >> Both cover certain areas but are still independent and one does not make >> the other futile. > > Since this thread is helpfully on

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On Mon, Oct 31, 2016 at 07:18:01PM -0400, Eli Schwartz via arch-general wrote: > On 10/31/2016 05:50 PM, Leonid Isaev wrote: > > As a side question... is there a significant difference in signing PKGBUILD > > vs > > the compiled package. > > Do you realize, when you ask if there is a difference

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 10/31/2016 05:50 PM, Leonid Isaev wrote: > As a side question... is there a significant difference in signing PKGBUILD vs > the compiled package. Do you realize, when you ask if there is a difference between signing a PKGBUILD vs. a built package, it sounds an awful lot like asking if there is

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 10/31/2016 10:50 PM, Leonid Isaev wrote: > On Mon, Oct 31, 2016 at 06:04:48PM +0100, Levente Polyak wrote: >> I get your point what you try to achieve but the PKGBUILD already >> contains the integrity values (checksums) for all external sources and >> if you sign the PKGBUILD (which is the

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On Mon, Oct 31, 2016 at 06:04:48PM +0100, Levente Polyak wrote: > I get your point what you try to achieve but the PKGBUILD already > contains the integrity values (checksums) for all external sources and > if you sign the PKGBUILD (which is the build script) then you have > implicitly

Re: [arch-general] kde --> xfce how to remove all packages kde

On Monday, 31 October 2016 22:27:54 CET David Demelier via arch-general wrote: > Unfortunately even pacman -Rcsn plasma will leave some KDE packages. And I > have never found any solution so far. KDE is now not a single distribution, but rather a loose set of independent products. plasma is just

Re: [arch-general] kde --> xfce how to remove all packages kde

Le 30 oct. 2016 6:26 PM, "Merlin Büge" a écrit : > > > Hi, I have migrate my archlinux system desktop kde to xfce. > > > > How to remove all kde packages and dependecy? > > https://wiki.archlinux.org/index.php/Pacman#Removing_packages > > Regards, Unfortunately even pacman

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 31 Oct 2016, at 6:14 pm +0100, Bennett Piater wrote: > I want to quickly chime in and say that I would really like > authenticated buildscripts at some point :) Any PKGBUILD kept in git can already optionally have this feature. See git-commit(1), specifically, its --gpg-sign option. iff

Re: [arch-general] [arch-dev-public] todo list for moving http -> https sources

When it comes to security of online update mechanisms and that of an index, TUF has a well designed scheme to be safe regardless of http and plan for eventual leak/theft of signing keys. I'd suggest anyone interest to have a look.

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 10/31/2016 06:04 PM, Levente Polyak wrote: > On the other side we have a dev/TU authenticating the buildscript. > Both cover certain areas but are still independent and one does not make > the other futile. Since this thread is helpfully on arch-general now, I want to quickly chime in and say

Re: [arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On 10/31/2016 04:43 PM, Patrick Burroughs (Celti) wrote: > On Mon, 31 Oct 2016 16:16:21 +0100 > Levente Polyak wrote: > >> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: >>> As a middle ground, I think it would be more reasonable (or at >>> least, less

Re: [arch-general] [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 2:18 PM, Guillaume ALAUX wrote: > On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak > wrote: >> >> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: >> > As a middle ground, I think it would be more reasonable (or at

Re: [arch-general] [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak wrote: > > On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: > > As a middle ground, I think it would be more reasonable (or at least, > > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at > >

[arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

On Mon, 31 Oct 2016 16:16:21 +0100 Levente Polyak wrote: > On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: > > As a middle ground, I think it would be more reasonable (or at > > least, less unreasonable) to modify makepkg to allow signing > > PKGBUILDs, or at

Re: [arch-general] [arch-dev-public] todo list for moving http -> https sources

On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: > As a middle ground, I think it would be more reasonable (or at least, > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at > least parts of them. For an existing example, OpenBSD's signify(1) uses > their cryptographic

Re: [arch-general] [arch-dev-public] todo list for moving http -> https sources

On Mon, 31 Oct 2016 15:19:40 +0100 NicoHood wrote: > Using PGP signatures is another discussion, also the hash algorithm. I > think we should discuss that in another post, appart from https. From > my point of view its highly important to use a strong hash function > as its