Forgot your password?
typodupeerror
Security Linux

Package Signing Comes To Pacman and Arch Linux 103

Posted by timothy
from the ok-but-who-are-you-really dept.
fwarren writes "One of the main complaints heard around here on why some Slashdotters don't run Arch Linux is that the packages are not signed. Fear no more: Arch Linux and Pacman now allow for package signing."
This discussion has been archived. No new comments can be posted.

Package Signing Comes To Pacman and Arch Linux

Comments Filter:
  • by Anonymous Coward
    Welcome to at least 2003!
  • by jampola (1994582)
    It's the Linux man's Linux. I have so much love for Arch and to be honest, the lack of package signing has never been an issue. But nonetheless, a welcomed addition!

    Moreover, I haven't really heard of too many people complaining about the lack of Package Signing when it comes to Arch Linux, usually it's the fact that after you install, you are pretty much presented with BASH, and that's it!
    • by jampola (1994582)
      I should rephrase, the lack of Package Signing has not been an issue to me, not in general. Sorry if I confused anyone. Now carry on...
    • by Hatta (162192)

      How do you know that package signing has never been an issue for you? You could be using a rooted 'login' and never know. Unless you have a checksum, you can't be sure the packages you fetch from arch haven't been tampered with.

      • by Tim4444 (1122173)

        checksum != digital signature

        Arch already provides checksums for source to be downloaded for AUR packages. I'm not sure about binary packages. In any case, that's not the same as digital signing which is what is being implemented here. I highly recommend Applied Cryptography (ISBN 0-471-59756-2) if it's is not clear to you.

        • by Hatta (162192)

          You are of course correct. Checksums can be forged, digital signatures cannot. I'm quite aware of the difference, but did not write precisely.

    • by t0rkm3 (666910)

      Yeah... I love Arch, and I hate it.

      However, I have to say that the documentation is quite excellent (with some reservations {wireless is a bit messy}) and the forum and IRC support is very helpful. Which is inconsistent across the distros (Gentoo and Sabayon tend to either be really helpful or real hardcore jerks). The Arch guys are always cordial and helpful which encouraged me to hang out there more often...

      Pacman is slick and fast. The query feature could be more robust before it reaches Debian lovelines

  • by Anonymous Coward on Tuesday January 17, 2012 @11:32AM (#38725038)

    What does Arch bring to the table?

    Debian has a minimal install option, is committed to freedom, has an awesome package manager, has tons of packages available, and has multiple release tracks that allow one to stay cutting edge should one wish.

    RedHat is commercially supported.

    CentOS is the free version of RedHat.

    SLES is commercially supported, with a deal with Microsoft to interoperate.

    Ubuntu is Debian made easier.

    Gentoo is for people who like to recompile software for their hardware.

    I get all of the above distros. I don't run them all myself -- especially not gentoo -- but I understand why some people do.

    What's the point of Arch? I poked at the website and wikipedia pages, but don't see an explanation of what it gives you over, say, a base Debian install.

    Note: this is not intended as a troll. I'm curious as to what Arch brought to the table. Why was it introduced? I'm sure there's an answer, just curious what.

    • by Anrego (830717) *

      I agree.

      I tried arch and wasn't impressed.. it didn't seem to do anything better than any of the other distros, and had some measure of .. unusualness. I also found the install process fairly unwieldy (especially package selection).

      Personally I'm a Gentoo user. Not really for the recompiling for hardware thing .. I just prefer the way they handle certain things in contrast to say, Debian.

      • by Anonymous Coward

        package selection should be used to select additional packages you really need (like wifi drivers).

        You setup your system **after** installing a base system.

        This is a case #200394934908 of not following the beginners' guide.

        • by Anrego (830717) *

          Fair enough., I will say that while you expect to have to read through some documentation the first time installing something like Gentoo, something that provides an installation utility I'd expect not to need to.

          I went the "install only basic packages" route anyway as it's what I tend to do on any distro, but if this is the actual intended method, putting a note to that effect in the installer itself might be a good idea (if not already done). I can't be the only one who doesn't see "step by step install u

          • by Thantik (1207112)

            I'm not exactly sure I'd call what arch has an "installation utility". It's more of a bootstrap utility.

    • Arch is something between Gentoo and Debian. It has binary repositories, similar to Debian, but "optimized" for i686 (not i386) and amd64 (there's ARM port too...).

      If you want to build a custom package, there is the AUR (Arch User Repository), which is a Gentoo-style source-based "bolt-on" onto the binary package management. There is almost everything in there - only very few packages do not have their "PKGBUILD" (the Arch version of e-builds from Portage).

      You can also easily recompile the provided packages (in official repositories) using the ABS (Arch Build System) - should you wish to use a non-default option in the compilation process (this is more similar to Gentoo than Debian; I'm sure it's possible to do in Debian, but it's non-obvious).

      The init process is different, much simpler than Debian. Instead of the whole "runlevels" shebang, Arch uses BSD-style init, where you have your daemons in an array in a config file. The daemon dependencies are resolved automatically.

      It comes with no "official" desktop environment (similar to Gentoo or Debian minimal install). It also generally uses the newest stable vanilla upstream packages - there are only very few cases of things being patched - which means you can usually file bugreports directly with upstream.

      I hope I didn't miss anything...

      • Oh, and I almost forgot - it has the most comperhensive wiki. The Gentoo wiki used to be very very very good, until it died a couple of years ago - and it never regained it's glory. The Arch wiki filled it's place very well - and as most of the packages in Arch are vanilla, you can use the tricks learned there in other distros too.

        • by EvanED (569694)

          The Gentoo wiki used to be very very very good, until it died a couple of years ago - and it never regained it's glory

          Aw, that's too bad. I didn't know that it went away; I haven't used Linux at home for a few years. I've said a few times in "what distro should I use" conversations that if you have a few rare qualities (the time and will to tinker, some knowledge about computers even if it's not about Linux specifically, and aren't afraid to play around and try things), Gentoo is actually a decent choice to

      • by loufoque (1400831)

        Debian, Ubuntu and the like all have an amd64 version as well.
        There is no reason to use a i386/i686 version instead of amd64. The latter will be faster and be able to use more memory.

        • Yes. That's why I said it's i386 vs i686, and amd64.

          • by loufoque (1400831)

            It's not really a differentiating factor since every other distribution has amd64, and given that i686 is useless when you have amd64.

            • There is a couple of i686 processors which are not amd64. For example, most of the Pentium 3/4's, and the Intel Dual Core's. Granted, it's not really a big deal.

        • by Narishma (822073)

          The reason to use an i686 version is if you have a CPU that doesn't support x86_64, such as the first few models of Atoms or older CPUs that predate AMD64's introduction.

      • by substance2003 (665358) on Tuesday January 17, 2012 @01:10PM (#38726414)
        I think the only thing you missed was that it's a rolling release OS meaning that unlike other distros. You never need to reinstall it unless you mess up.
        That to me has been the most important feature for me as I found it would get old to have to reinstall Fedora every 6 to 12 months to get access to the latest bleeding edge software.

        As one reviewer said, this OS is always fresh.
        • by Edwin_OS (2427140)
          Finally somebody said it, and no, setting testing repos in debian is not as close as using a good rolling release.
        • by pastie (80784)

          Debian unstable/sid is a rolling release distro too.

          • by Edwin_OS (2427140)
            Sadly it breaks a lot more than arch rolling release repo, I guess it should be because Arch rolling release repo have all the attention from its community making sure that it keeps as stable as possible.
      • by aix tom (902140)

        As both a Arch and Gentoo user, I also like the fact that both don't have version. The update of a specific package is done when the package is ready upstream, not when a new version of the distro comes out.

        Basically the way it feels is that the both are versionless distros with a package management system. In Gentoo the default format for a package is source, but you CAN create binary packages yourself if you want. In Arch it's the other way around, the packages are binary by default, but you CAN use sour

    • by some_guy_88 (1306769) on Tuesday January 17, 2012 @11:48AM (#38725292) Homepage

      My favourite Arch feature is the AUR [archlinux.org] (Arch User Repository) where anyone can submit their own packages which other uses can then install.

      Because of the AUR, Arch is more likely to have a package for some given obscure application that Debian would be missing. Also, these packages are kept up to date to a greater extent than you'll see on Debian. Finally they're all in one place where as you don't have to constantly add repositories to your package manager's repo list.

      • by bjoast (1310293)

        Because of the AUR, Arch is more likely to have a package for some given obscure application that Debian would be missing. Also, these packages are kept up to date to a greater extent than you'll see on Debian. Finally they're all in one place where as you don't have to constantly add repositories to your package manager's repo list.

        What you're mentioning are some of the main reasons why I am running Arch. But there's also the wiki, the community and the feeling of having a system which is very simple and clean. I tried it a few months ago and just loved it.

        • by devilspgd (652955)

          I find the simplicity of it to be just amazing. Everything is where I'd expect, nearly everything is done the way that makes sense, and it doesn't get in my way.

          When I have run into problems, I've had a surprising amount of help without the "Why are you running Linux if you don't understand /that/?" arrogance that is so common in certain Linux areas.

      • by Morty (32057)

        My favourite Arch feature is the AUR [archlinux.org] (Arch User Repository) where anyone can submit their own packages which other uses can then install.

        Cool, thanks. That's a good differentiator. Most other distros have mechanisms to add unofficial repositories. But that's a lot of bother for the packager.

        Next question: why did Arch need to reinvent the package management wheel? deb and rpm already existed. What does the Arch package format (format, not the pacman front-end) give you that other formats could not have?

        - OP

        • by Korin43 (881732)

          Next question: why did Arch need to reinvent the package management wheel? deb and rpm already existed. What does the Arch package format (format, not the pacman front-end) give you that other formats could not have?

          - OP

          Arch packages are much easier to build. This was the thing for me. You basically write a file containing the package name, version number, where to get the sources (and their checksums), and then a bash script of how to install it. Most Arch packages can be written in minutes -- which I think is why the AUR is so popular.

          For example, this is the entire source for a pylibmc package:

          http://aur.archlinux.org/packages/py/python2-pylibmc/PKGBUILD [archlinux.org]

          Notice how simple the build() section is in comparison to Debian pa

          • by jpate (1356395)
            As a follow-up, the resulting binary packages are also simple. They are a perfectly vanilla xz-zipped tarball (Really! download and extract the package for bash [archlinux.org]) containing:
            1. The files in the tarball relative to /.
            2. A small metadata file recording e.g. dependencies, any configuration files that should be backed up.
            3. (Optional) A small file containing bash functions that will be executed before and after installation, upgrades, or removal.
    • by dejanc (1528235) on Tuesday January 17, 2012 @11:56AM (#38725402)

      What does Arch bring to the table?

      1. It's a rolling release distribution, which many people like.
      2. Package manager is very easy to use
      3. Making new packages and modifying existing ones is extremely easy. Not only is the syntax of package definition very simple, but all package sources are easily available with the ABS (Arch Build System, something like ports).
      4. The previous point is the reason that AUR (centralized repository of user-submitted packages) is very popular and generally of acceptable quality.
    • Re: (Score:3, Insightful)

      by gajop (1285284)

      Read: https://wiki.archlinux.org/index.php/Arch_Compared_to_Other_Distributions [archlinux.org]
      I don't think you have a clue tbh. I've tried most well known Linuxes (all that you mentioned and a few others), and I can tell you that there are two major differences that distros have, as far as users are concerned: 1) GUI/CLI based (which is also complex/minimalistic), 2) Regular/rolling release based.

      1) Ubuntu, Fedora, OpenSUSE and so on are GUI based systems, coming with fully installed DEs and offering people little choice

    • by Hatta (162192) on Tuesday January 17, 2012 @12:05PM (#38725546) Journal

      Great documentation and vanilla packages. That about sums it up. It's like Slackware with improved package management.

      I've been running systems built from Debian base for about a decade. Recently I kept running into the Arch wiki when I wanted to solve a problem. e.g. if I want to reenable ctrl-alt-backspace in Xorg. If I google that, I get a page full of shitty Ubuntu related solutions that depend on extra packages or gui configuration tools.

      But there's one result that sticks out. The Arch wiki [archlinux.org] provides a nicely organized richly linked list of things you might want to configure, and how to configure them. This is how you collect and present useful information. I figured, if I find myself consistantly using the documentation for a distro, maybe I should check out the actual distro.

      So I still use Debian on most of my systems, but have thrown Arch on a couple for fun. It's easy, it works, and it doesn't feel as crufty as Debian does. Package signing will make it a contender for real work. Yay Arch!

      • So I still use Debian on most of my systems, but have thrown Arch on a couple for fun. It's easy, it works, and it doesn't feel as crufty as Debian does. Package signing will make it a contender for real work. Yay Arch!

        Can you describe it without the weasel words?

        What do you mean when you describe Debian as "crufty"? What do you mean when you say Arch is "fun"?

        I could use those words to describe just about any distro, but they don't really communicate anything other than that you prefer Arch over Debian for some unspecified reason(s) -- which we could easily guess from the rest of your post.

        I'm not saying it is or is not a good distro -- I just don't think that "crufty" and "fun" mean much of anything. As The Dude says:

        • by Hatta (162192)

          I didn't say Arch was fun, I said fun was my motivation for putting it on a couple computers. I could have had the same fun with any distro, but Arch seemed to be a good choice for the reasons I described in my earlier post.

          I did say Debian was crufty. And yes, that's probably subjective. Just the sheer number of packages makes it harder to figure out what the best way to do something is. It's not a major criticism and I don't dislike Debian for it. I still use it on anything important.

        • by t0rkm3 (666910)

          For starters? The init system.

          Otherwise? The packages in general. It takes something so long to make it through the repo approval system that it's obsolete by the time it hits mainline. For some that is probably a bonus, but for me that's just a pain in the arse, cuz then I have to go and find either a repo that bolts on or a deb and the appropriate dependencies. For those that argue that AptoSid, or unstable/testing etc are the answer... well my forays into AptoSid and unstable/testing were less stable tha

      • by NorQue (1000887)

        But there's one result that sticks out. The Arch wiki [archlinux.org] provides a nicely organized richly linked list of things you might want to configure, and how to configure them. This is how you collect and present useful information. I figured, if I find myself consistantly using the documentation for a distro, maybe I should check out the actual distro.

        That's what happens to me a lot, too, lately. Previously it used to be the Ubuntu Forums where you could find a lot of useful information, but nowadays

    • by Hatta (162192)

      This shouldn't have been modded down. It's a good question, well stated, that provoked a number of thoughtful responses.

    • Floating point texture support in mesa? AFAIK they are the only binary distro to enable that flag because of patent concerns.

    • 1) It's a rolling-release distribution.
      2) It's bleeding edge (so no point comparing it to debian).
      3) It follows the KISS principle.

    • by Spykk (823586)
      A description of Arch in the format you used to describe the other distributions might be:

      Arch is a rolling release distribution that tries to keep its packages as close to vanilla as possible.

      While I wouldn't recommend Arch in a production environment (the bleeding edge can be slippery) it works great for my personal server/media center and my netbook. Rolling release means you get to try out those great new features the day after you hear about them instead of six months later.
    • I've tried maybe 15-20 distributions in the past 15 years, and finally settled on Arch. I like it for its minimalist base installation that lets ME choose the desktop environment without installing a bunch of crap I don't need; I also like its granularity that installs ONLY the packages I choose and their dependencies without a lot of additional crap I don't need.

      So, you might say, use Linux From Scratch or Gentoo instead. I did! I used LFS for five years, but once I had learned enough from it in terms o

      • by Raenex (947668)

        Debian has granularity too. You don't need to install a desktop environment, but Debian provides a default install in case you want to. Debian has worked out all the dependencies for you, too, and provides binaries for many architectures. You can also easily build a package from source if you want to tweak it.

        Also, it provides different levels of dependencies, from required, to recommended, to suggested, and you can specify what the default is, as well as override the default when installing any package.

        It

    • One of the differences between Arch and Debian is that Pacman is much more minimalistic about what it considers a dependancy.
      This allows greater control for those who obsess over what they do and don't want on their system.
      It also helps with learning a lot about what each component does and why it's there. When I've tried minimalistic Debian installations in the past, I quickly get overwhelmed by the amount of things each package brings with it.
      I probably would not install Arch again, but setting up my
      • by t0rkm3 (666910)

        I wish I had modpoints... It seems that the Debian peeps think that I have infinite diskspace, so when I want to install something to test it... It MUST come with 80 bajillion other packages... and deinstalling those may traverse back up the tree and break something that I want. Hence my hate for *untu as well.

    • by NotBorg (829820)

      Arch Linux brings a lot to the table but in areas you wouldn't expect. If you just "try" Arch Linux you probably miss the good points. I guess you could say that it grows on you. Or maybe that it grows with you.

      The biggest, most obvious thing that Arch does that differentiates it from other distributions is that it is a rolling release. When an upstream project releases a new version and calls it stable, it works its way into Arch. How does this differ from other distributions which can get newer pac

  • I'd read a lot of good things about Arch, so I decided to give it a go a few months ago. I wanted to like it, I really did, but my experience over 3 ~ 4 hours was reminiscent of installing Slackware circa 2002. I don't want to have to know how to configure every package on my system from scratch, I want them to mostly work, and then be able to tweak them. I simply don't have the time for anything else. Maybe this just means Arch isn't for me, but it seemed that the install process was going out of it's way

    • by zanian (1621285)

      naturally, the more you know before installing makes it easier, so I wouldn't say you missed anything. I use Arch and I love it, but I also don't mind having struggled with it for hours. Sounds to me like it's just not for you. The only things that make it easier are the great wiki and the forums.

    • Well, there is a lot of apps which do not need wireless-tools and work with WPA supplicant just fine. Arch's own network management uses WPA supplicant, WICD doesn't need wireless-tools either. When you install Gnome, or Xfce, though, wireless tools get pulled in.....

      Maybe it means Arch is not for you, though! And there's nothing bad in that.

    • by Hatta (162192)

      No, you didn't miss anything. Arch is for people who believe (correctly or incorrectly) that setting things up yourself so you know exactly how they work is less work in the long run than taking someone elses setup that "mostly works" and tweaking it.

    • Over the course of about 3 installs, the process gets a lot faster. The Beginner's Guide on the wiki takes you along the scenic route to get you acclimated to the system.

      Personally, of all the Linux distributions I've worked with, I like Arch as a server. This is simply because I find the configuration from the command line to be far simpler than Debian based distributions. Comparing to RedHat/CentOS, for me, lands in the middle of Arch and Debian in complexity. However, if you have some fairly complex

    • Setting up Arch Linux is not hard. The article at http://lifehacker.com/5680453/build-a-killer-customized-arch-linux-installation-and-learn-all-about-linux-in-the-process [lifehacker.com] is particularly useful. I did not even need to refer to the guide. Just followed the instructions at LifeHacker and then used the Arch Wiki to configure and fine tune things from there. So yeah, I can do it. But I found a better way.

      I now do my Arch setups by installing ArchBang. ArchBang is a riff on CrunchBang. As a live CD, it is Arch L

    • by PReDiToR (687141)
      I've never installed wireless-tools. ifconfig wlan0, wpa_supplicant, dhcpd ... What would you need anything else for?

      I use Arch on my laptop, EEE and torrent server.
      Modern software on rolling release, most files where you expect them to be and no bloat (strigi, nepomuk, akonadi ... ) make this distro a joy to work with.

      Just for giggles I will point out that my desktop machine runs on Gentoo, so obviously I'm a masochist =)
  • Whew.... (Score:5, Funny)

    by liquidweaver (1988660) on Tuesday January 17, 2012 @12:06PM (#38725556)

    I've been using Arch for years, and the constant flow of virii and rootkits that were deluging me might finally go away!
    With all the recent news of linux package repositories being the main vector of all these advanced persistent threats my CPO (Chief Pentest Officer) has been telling me about, I can now breath a sigh of relief.

    • I lol'ed. I guess no one with mod points today has a finely tuned sarcasm meter.
    • Not quite. *twitch* You have to enable it manually right now and the completion of the package signing work is only fully complete on [core]. [extra] is about halfway there and [community] is...well....NOT. :-/
  • by mshenrick (1874438) on Tuesday January 17, 2012 @12:09PM (#38725594) Homepage
    I feel like such a fearless badman for running arch linux before the packages were signed
  • vanilla doesn't suit everyone. I've used Fedora, Debian, Ubuntu and Arch (and several of their derivatives) full-time. From that experience I've learned two things:

    * Arch is my favourite distro.
    * My life is better when I use Ubuntu full time.

    Arch has a simpler init, a better config structure, a better filesystem layout, a simpler packaging format that's easy to create build scripts for and amazingly good documentation. Also, all the points people make about AUR are valid, its marvellous. Much to love

  • But I couldn't decide between Fedora and Ubuntu for long time. Always torn between Fedora's features and Ubuntu's support and software-base. And then I installed Arch and I seek no more.

    The ultimate Linux distro for the semi-poweruser. Its more bleeding edge then Fedora, more solid/stable then Ubuntu (not Debian level, no sir, but close enough for desktop use), with AUR - giant software repositories (stuff Fedora didn't hear of, one click away... or command) and last, but not least, best community anywhere

  • I thought most people had realized by now that signing packages is far from being a useful security feature, unless you have some way of revoking the signature on a package-by-package basis. What you want is a signature on the repo (preferably with an expiry date, so a malicious mirror can't just keep a vulnerable repo state around forever).

    A package signature protects against trojans, but gives false credibility to official packages with vulnerabilities. A hostile mirror (possibly using a MITM attack) ca

  • There's not a single Pacman-the-game/Ms Pacman joke here.

To err is human -- to blame it on a computer is even more so.

Working...