LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-19-2012, 02:51 PM   #1
michaelmas
LQ Newbie
 
Registered: Jan 2012
Posts: 21

Rep: Reputation: Disabled
Questions about package signing


Arch have only recently adopted package signing to pacman, and while Gentoo have had package signing for some time (I understand), many package developers don't bother to sign their packages.

My questions are, for a desktop user like me who's only looking to learn more stuff about Linux and not fill my drive with countless programs:
  1. Is package signing that big of a deal if I only use packages that I know are signed?
  2. Don't pacman and portage allow one to see whether a package is signed?
  3. And what about dependencies? Won't it defeat the purpose of package signing if a package manager installs loads of unsigned dependencies?
  4. Won't every package have to be signed or none?
 
Old 03-20-2012, 02:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
IMHO package signing has nothing to do with what purpose you use Linux for. Signing is an assurance the package you use has been approved for release (accountability) by a certain publisher (reputation) and has not been tampered with (integrity). Partial package signing obviously doesn't prove anything wrt unsigned components but at least it's not as worthless as relying on package hashes. That doesn't prove or guarantee anything at all. In terms of accountability and integrity verification it indeed would be the best if every package gets signed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Should I be concerned about the lack of package signing? goldlizard Arch 2 07-10-2011 11:08 AM
Package signing. Does it really matter? Telengard Linux - Security 14 04-04-2011 09:49 AM
package questions Mike9 Linux - Newbie 2 12-23-2007 06:58 PM
Package signing and verification makix Linux - Security 2 08-10-2007 03:49 PM
Help with some package questions? DFarist Linux - General 1 02-13-2004 12:34 PM


All times are GMT -5. The time now is 10:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration