Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Arch�s Dirty Little Not-So-Secret

Feb 28, 2011, 19:03 (1 Talkback[s])

"A reader of my blog recently made a comment about Arch's lack of package signing, and this got me looking into the issue more carefully. What I found has left me deeply concerned with a number of aspects of Arch.

"Most distributions, even Windows, sign their packages so that when the computer downloads and installs them, it can check the signature to make sure the package is authentic – it hasn't been tampered with on the server, or anywhere between the server and the local system. This mechanism has been around for many years and works well – the tools to implement it are available and simple to use. Yet for some reason I can't understand, Arch Linux has never had package signing. Arch packages are simple tarballs – they can be opened, modified, and retarred, and the updating system has no way to detect this."

Complete Story

Related Stories: