Arch?

What do you think about Arch Linux, /prog/?

you are now aware of the fact that half the updates you installed last week were written by /b/tards.

Is that the one with the package manager that doesn't do signatures?

programming-related discussion

that is all.

>>4
Damn. Where's The Threadshitter when you need him most?

>>5
NEED MY ANUS

Ark Linux is decent

>>3
It has hash sums, but not cryptographic sigs like PGP. I wasn't aware of any package manager that uses signed packages... seems kind of contrary to openness, to me. A hash sum is basically an anonymous signature, anyways, since a signature is just an asymmetrically encrypted hash sum.

>>8
What's the difference between a hash table and a dictionary?

A hash table is a way of implementing a dictionary.

>>8
That's not the problem, the problem is that the hashes can be replaced without the user knowing.  The list of hashes is what needs to be signed.

>>8
Your level of understanding indicates that you use Ubanto, not Arch.

Hashes are used to ensure nothing went wrong in the download process. Cryptographic signatures ensure you're downloading from the source you think you're downloading from. They also guarantee data integrity, but that isn't the main point.

Every package manager except for Arch's pacman supports them. Several distros (including Frugalware) have forked pacman specifically to add support for signatures. Gnuffy modeled their spaceman on pacman, and also added support for signed packages.
Debian and Red Hat and Gentoo have, of course, all had it for years.

I'd love for you to explain why you think signed packages are ``contrary to openness''. The only freedom it infringes on is the freedom of malicious attackers to impersonate trusted repositories.
When you're getting nearly all of your software from a single trusted source and installing it directly into your root filesystem, it's kind of important that you can actually trust that source.

>>12
TRUST MY ANUS

>>3,12
And so /prog/ imitates #sicp.

>>12
But if the hash you have in your local database doesn't match the one from the package you downloaded, then it is clear that it has been tampered with. It doesn't matter where you downloaded it from, if it's no different to that which you had expected, then there is nothing wrong with it.

>>15
In your world, you get a database of hashes when you install your OS and then that never changes? I don't see how a repository that never patches or adds packages is useful.

>>16
The database and package servers are in different parts of the world, on different servers.

>>17
Great. So instead of the obvious, very straightforward, and well-tested mechanism of signed packages, you want to duplicate expensive infrastructure in a way that doesn't even protect against the most obvious attacks?

(It goes without saying that pacman doesn't even do what you're suggested either.)

Example:

http://mirrors.kernel.org/archlinux/core/os/x86_64/

>>18
Have you paid your beet toll today? He realized he was wrong after >>15, and now he's just yanking your chain with >>17.

>>20
YANK MY ANUS

/brb, updating real man's OS.

>>22
http://github.com/TidOS

>>12
>>8 here, and actually I use Arch. Well, I did until I borked it a couple days ago while updating to Ext4, so now I'm using Ubuntu on a spare drive until I figure out how to fix it. (The problem is that Grub drops me down into its shell rather than loading the menu and letting me boot! I reformatted the /boot partition to Ext3 and copied the files pack, but no dice.)

You don't need to insult my "level of understanding," since I pretty clearly showed that I know what a signature is and how it's different than a hash sum, and of course I understand that they're used to validate a message's author. Sorry that I didn't know that other package managers use sigs, now I know better. And I'm sorry that I claimed that using sigs would be less open, I see now that it wouldn't necessarily be. I think that when I read about a package manager using signatures, I assumed that it would *require* signatures, rejecting unsigned ones, thereby making it difficult for a user to make their own packages; that would surely not be open, but now of course no good distro would ever do that, and I don't know why I thought any distro would.

>>24
I imagine you probably thought they would reject unsigned packages because that sort of behavior is not unprecedented among packagers elsewhere in the software universe (e.g. some smartphones, which may or may not also apply some ridiculous DRM scheme) -- or maybe, you might have recalled how a certain popular web browser adopted the less-than-useless behavior of refusing to show https websites using self-signed certificates without a number of acrobatic moves on the part of the user, which need to be repeated on either a per-visit or per-site basis.

Generally I don't give a crap whether my packages are signed; I run a number of obscure programs, much of which was mutated from some other package system like rpm or deb, or which no package existed so I had to build from source, so it's not very relevant to my interests whether the mainline repository has signatures or other such bells and whistles. But I suppose some people find them important.

>>23
What is this /g/ crapola