Hi,

Okay, let's wisper this: arch does not have package signing...
Paccheck should (in theory) be able to help out, by sniffing out bad mirrors.

I use the mirrorlist that came out of the box, but only the german ones (they seemed fastest). I did not have sudo installed (now, I have) (security, I could be wrong about this, but hey) - now when I enter

I read that I'm not in the sudoers file. When I do put myself in there, paccheck can not be found. I did install the thing:

as root (of course)

So, is paccheck bogus? What am I doing wrong (obviously, something, I just dont know what) or is paccheck simply not needed?

Tnx 4 some help

Thor

Based on the file name from the AUR, I think this should be
Personally, I prefer to make things packages, so I would use the AUR.

Once installed, usage is detailed here.

Hey reed9!

Tnx! The kitten lives...it told me some mirrors failed to respond (no such file or directory) maybe some tweaking from my end is needed...

Okay, on to the link-and-info you've provided!

Cheers!

Thor

Sorry I missed your question in this thread - glad you got it sorted out.

On the package signing issue, LWN.net just published a comprehensive article, which mentions paccheck as well. Linux Today also picked this up last month, so it's good to see the issue getting increased visibility.

Hey IgnorantGuru!

Well, you just found my earlier post. At that time I was not even beyond the install...the real nitty-gritty came later. You helped me out on that. Today (weekend at best?) a full sysupdate is in order.
To be quite honest, I was waiting for something to assure me of clean packages, but did'nt know what...well, now I know. You saved me from a distro-hop!!

If I can help to increase the footprint...lemme know!

Thor

I would like to add this link to the record as a response to IgnorantGuru:
http://www.toofishes.net/blog/real-s...ckage-signing/

Hey Bratmon!

I read the post...as far as I can see: Arch and Pacman are great pieces of software. The idea of compromised software ending up on the hard drive is a scary one (I for one should know, in windows, that WAS the main scare all the time) and I see paccheck as a great "in the mean time" and a wonderful tool to check the validity of the mirrors. As far as I can see, it is a way to take the pressure off the package signing until that work CAN be done...

To quote some stuff
Well, Linux is an effort of lots of people, all (mostly?) volunteers.

Not needed, Arch is "alive" in that it is a constant work in progress.

No, but what I can come in to is that priorities - for the time being - lie elsewhere. So paccheck could be a great tool to act as a "lightning rod" for now. In the end, I am convinced package signing will get there...but it takes time.
I am/was a software developer. I know what it's like to be between more than two fires...

I have actively hand-picked Arch for several reasons, one being stability.

I like linux for what it is: people stuff. It (Arch, that is) helped me get to understand the inside of Linux. Something Ubuntu and Fedora (for all of their good qualities) never did, as they were not designed for that goal.

I for one stress that signing and whatever the "others" have will get there. And I'll stick around for the ride!

Thor
PS thanks for this contribution. Let me end with this thought: between two extremes lies understanding, but both extremes have to meet the other half-way.