Arch Linux package signing not implemented?

Posted: March 6, 2011. At: 11:38 AM. This was 6 years ago. Post ID: 1060

Quoting from the website.

Most distributions, even Windows, sign their packages so that when the computer downloads and installs them, it can check the signature to make sure the package is authentic – it hasn’t been tampered with on the server, or anywhere between the server and the local system. This mechanism has been around for many years and works well – the tools to implement it are available and simple to use. Yet for some reason I can’t understand, Arch Linux has never had package signing. Arch packages are simple tarballs – they can be opened, modified, and retarred, and the updating system has no way to detect this. This tampering can take place on one of the many mirrors that host Arch packages, yet it can also take place elsewhere – in network proxies and misdirection, in intranet caches, and on local systems. Package signing gives admins a way to verify that the packages they’re using to update their system are authentic, regardless of how those packages have been delivered or stored, or who has access to the data.

Most Linux distributions like OpenSuse have packages signed to be installed on that distribution and if you want to install other packages you have to import a gpg key that those other packages are signed with and then packages can be installed from that repository as usual. But without package signing, anyone could put up a package containing malicious code and then it would be installed and if it was a package for MYSQL or Apache then it could compromise a machine set up as a server and then someone might actually take heed of the people who have been commenting and asking for a simple package signing system for the repositories. I have tried out the Arch Linux x64, and I liked it but I prefer Opensuse 11.3 and OpenBSD, the latter I am typing this on whilst watching Carl Sagan’s Cosmos series. OpenBSD has an unrivaled security record and has a good software library. OpenSuse uses package signing and it is very secure. Making sure that the package repositories are very secure and malicious people can not insert packages into the system is important.

There is more discussion here. But this is a severe security risk and just because it is Linux does not mean that it will magically be immune to a website that sets up a package repository and redirects Arch Linux users from one package repository to their site with modified packages and then they would be installing trojans and malicious code without knowing it.

No comments have been made. Use this form to start the conversation :)

Leave a Reply