On 20 July 2011 11:06, Lukas Fleischer <suckless_AT_cryptocrack.de> wrote:
> pacman 4.0.0 will support package signatures and we'll sign all packages
> in the official repos ([core], [extra], [community]) soon.
Debian IIRC just signs the package lists (including checksums) in
practice, which is fine.
I hope there isn't going to be a .sig for every .pkg.xz because that would suck.
Still this is besides the point. We were trying to work out how
suckless delivers the package, not Arch. So to be getting back to the
point, I would like to know how Arch can securely make sure it's
downloading the correct package. I know it has the md5 construct in
the PKGBUILD which I am not that keen about since it's manual, breaks
often and sucks etc.
Received on Wed Jul 20 2011 - 12:56:15 CEST
This archive was generated by hypermail 2.2.0 : Wed Jul 20 2011 - 13:00:05 CEST