[Slackbuilds-users] Arch User Repository compromise
Ruben Schuller
sb at rbn.im
Fri Jun 12 20:28:42 UTC 2026
Hi List,
2026-06-12 "J. Milgram via SlackBuilds-users"
<slackbuilds-users at slackbuilds.org>:
> How about asking maintainers to submit separate gpg signature files
> when uploading packages, like the .asc sig files we now download from
> the repo. Introduces key trust issues but upside is that it should be
> simple to verify immediately on uploading.
>
>
> (Not a fan of having yet one more password...)
I would prefer a solution with a GPG signature as well. Just some
brainstorming:
Save the public key used the first time a SlackBuild is
submitted (or first time updated after this is introduced), check
against this on following updates. This would at least introduce an
additional check.
If the saved pubkey is changed by the admins, this should trigger a
message to the mailing list to make sure it can't be changed by
impostors. Maybe add a cool-down period (7 days or something) where
updates can't be submitted with a changed key so there is enough time
for people to read the mailing list notification.
Cheers
Ruben
More information about the SlackBuilds-users
mailing list