On Tue, Nov 01, 2016 at 03:59:28AM +0100, Lukas Rose wrote:
> > On 01 Nov 2016, at 00:35, Leonid Isaev
> > wrote:
> >
> > Well, my mentality is that authenticating plain-text data is usually not
> > necessary because a user can always inspect it
>
> You just can't reliably inspect plain text in
> On 01 Nov 2016, at 00:35, Leonid Isaev wrote:
>
> Well, my mentality is that authenticating plain-text data is usually not
> necessary because a user can always inspect it
You just can't reliably inspect plain text install data, unless you spend an
awful lot of time on it. As already pointe
On 10/31/2016 07:35 PM, Leonid Isaev wrote:
> Regarding checksums, how did a dev know that upstream sources are authentic?
Personally, I check the upstream sources of stuff I publish to the AUR.
I maintain an additional *-git package for anything that makes sense
that way, so it is easy to diff/lo
On 01/11/16 03:14, Bennett Piater wrote:
> On 10/31/2016 06:04 PM, Levente Polyak wrote:
>> On the other side we have a dev/TU authenticating the buildscript.
>> Both cover certain areas but are still independent and one does not make
>> the other futile.
>
> Since this thread is helpfully on arch
On Mon, Oct 31, 2016 at 07:18:01PM -0400, Eli Schwartz via arch-general wrote:
> On 10/31/2016 05:50 PM, Leonid Isaev wrote:
> > As a side question... is there a significant difference in signing PKGBUILD
> > vs
> > the compiled package.
>
> Do you realize, when you ask if there is a difference b
On 10/31/2016 05:50 PM, Leonid Isaev wrote:
> As a side question... is there a significant difference in signing PKGBUILD vs
> the compiled package.
Do you realize, when you ask if there is a difference between signing a
PKGBUILD vs. a built package, it sounds an awful lot like asking if
there is
On 10/31/2016 10:50 PM, Leonid Isaev wrote:
> On Mon, Oct 31, 2016 at 06:04:48PM +0100, Levente Polyak wrote:
>> I get your point what you try to achieve but the PKGBUILD already
>> contains the integrity values (checksums) for all external sources and
>> if you sign the PKGBUILD (which is the buil
On Mon, Oct 31, 2016 at 06:04:48PM +0100, Levente Polyak wrote:
> I get your point what you try to achieve but the PKGBUILD already
> contains the integrity values (checksums) for all external sources and
> if you sign the PKGBUILD (which is the build script) then you have
> implicitly authenticate
On Monday, 31 October 2016 22:27:54 CET David Demelier via arch-general wrote:
> Unfortunately even pacman -Rcsn plasma will leave some KDE packages. And I
> have never found any solution so far.
KDE is now not a single distribution, but rather a loose set of independent
products. plasma is just
Le 30 oct. 2016 6:26 PM, "Merlin Büge" a écrit :
>
> > Hi, I have migrate my archlinux system desktop kde to xfce.
> >
> > How to remove all kde packages and dependecy?
>
> https://wiki.archlinux.org/index.php/Pacman#Removing_packages
>
> Regards,
Unfortunately even pacman -Rcsn plasma will leave
On 31 Oct 2016, at 6:14 pm +0100, Bennett Piater wrote:
> I want to quickly chime in and say that I would really like
> authenticated buildscripts at some point :)
Any PKGBUILD kept in git can already optionally have this feature. See
git-commit(1), specifically, its --gpg-sign option.
iff
When it comes to security of online update mechanisms and that of
an index, TUF has a well designed scheme to be safe regardless of
http and plan for eventual leak/theft of signing keys.
I'd suggest anyone interest to have a look.
On 10/31/2016 06:04 PM, Levente Polyak wrote:
> On the other side we have a dev/TU authenticating the buildscript.
> Both cover certain areas but are still independent and one does not make
> the other futile.
Since this thread is helpfully on arch-general now, I want to quickly
chime in and say t
On 10/31/2016 04:43 PM, Patrick Burroughs (Celti) wrote:
> On Mon, 31 Oct 2016 16:16:21 +0100
> Levente Polyak wrote:
>
>> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
>>> As a middle ground, I think it would be more reasonable (or at
>>> least, less unreasonable) to modify makepkg to
On Mon, Oct 31, 2016 at 2:18 PM, Guillaume ALAUX
wrote:
> On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak
> wrote:
>>
>> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
>> > As a middle ground, I think it would be more reasonable (or at least,
>> > less unreasonable) to modify makepkg t
On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak wrote:
>
> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
> > As a middle ground, I think it would be more reasonable (or at least,
> > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at
> > least parts of them. For an e
On Mon, 31 Oct 2016 16:16:21 +0100
Levente Polyak wrote:
> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
> > As a middle ground, I think it would be more reasonable (or at
> > least, less unreasonable) to modify makepkg to allow signing
> > PKGBUILDs, or at least parts of them. For an
On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
> As a middle ground, I think it would be more reasonable (or at least,
> less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at
> least parts of them. For an existing example, OpenBSD's signify(1) uses
> their cryptographic s
On Mon, 31 Oct 2016 15:19:40 +0100
NicoHood wrote:
> Using PGP signatures is another discussion, also the hash algorithm. I
> think we should discuss that in another post, appart from https. From
> my point of view its highly important to use a strong hash function
> as its highly important for t
19 matches
Mail list logo