Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Arch Linux
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Repository security === Until Pacman version 4.0.0,<ref>{{Cite web|url=https://git.archlinux.org/pacman.git/tree/NEWS?id=d3d3b861ac2c4ce63c306e00395945bfa3c1b6c6|title=NEWS - pacman.git - The official pacman repository|website=git.archlinux.org|access-date=12 May 2019|archive-date=8 March 2021|archive-url=https://web.archive.org/web/20210308124115/https://git.archlinux.org/pacman.git/tree/NEWS?id=d3d3b861ac2c4ce63c306e00395945bfa3c1b6c6|url-status=live}}</ref> Arch Linux's package manager lacked support for signed packages.<ref>{{Cite web|url=https://bugs.archlinux.org/task/5331|title=FS#5331 : Signed packages|website=bugs.archlinux.org|access-date=12 May 2019|archive-url=https://web.archive.org/web/20110728064526/https://bugs.archlinux.org/task/5331|archive-date=28 July 2011|url-status=live}}</ref> Packages and metadata were not verified for authenticity by Pacman during the download-install process. Without package authentication checking, tampered-with or malicious repository mirrors could compromise the integrity of a system.<ref>{{cite web |url=https://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html |title=Attacks on Package Managers |publisher=cs.arizona.edu |date=10 July 2008 |access-date=14 September 2010 |archive-url=https://web.archive.org/web/20100905075018/https://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html |archive-date=5 September 2010 |url-status = dead}}</ref> Pacman 4 allowed verification of the package database and packages, but it was disabled by default. In November 2011, package signing became mandatory for new package builds, and as of March 2012, every official package is signed.<ref name="signed">{{cite web |url=https://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/ |title=Pacman Package Signing β 4: Arch Linux |last=McRae |first=Allan |date=17 December 2011 |access-date=29 February 2012 |archive-url=https://web.archive.org/web/20120220041620/https://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/ |archive-date=20 February 2012 |url-status=live }}</ref> In June 2012, package signing verification became official and is now enabled by default in the installation process.<ref>{{cite web |url=https://www.archlinux.org/news/having-pacman-verify-packages/ |title=Having pacman verify packages |author=Gaetan Bisson |website=Arch Linux |date=4 June 2012 |access-date=4 June 2012 |archive-url=https://web.archive.org/web/20120606144149/https://www.archlinux.org/news/having-pacman-verify-packages/ |archive-date=6 June 2012 |url-status=live }}</ref><ref name="2012.07.15">{{cite web |url=https://www.archlinux.org/news/install-media-20120715-released/ |title=Install media 2012.07.15 released |author=Pierre Schmitz |website=Arch Linux |access-date=13 August 2012 |date=22 July 2012 |archive-url=https://web.archive.org/web/20151212141631/https://www.archlinux.org/news/install-media-20120715-released/ |archive-date=12 December 2015 |url-status=live }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)