Hi!

I have noticed that the single most vulnerable point of archlinux (assuming you trust the developers) is that any mirror can be hacked and injected with various packages, and there would be virtually no way for an end user to notice this. As pacman would accept the local list of packages and the package downloaded/installed. And if someone noticed it it'd be too late either case.

This also means that users need to have some sort of trust to the mirror of their chosing. Many wouldn't even consider it probably. Others would trust their gut feeling. Or use the (almost terribly slow, for us sweedes) ftp.archlinux.org.

As I just set up my new public archlinux mirror it hit me that there is not any way that I can genuinly garuntee my users that my packages are safe and unmodified, more than users doing sample tests now and then. (If you need a pretty fast Swedish mirror, read at http://bbs.archlinux.org/viewtopic.php?t=24666 :)).

Signed packages would solve these problems. The signatures can be verified by a public key which the developers intergrate so any package going up for publishing will need a signature. The signatures can preferably be stored in the resperatory database file (current.db.tgz etc) and verified by pacman upon install.

If a user choose to trust other developers than the main they should be able to add their public keys to pacman's database aswell. pacman -Ka /home/data/key.pub, or smthing.

Now here comes the best part; the code is already fully developed :) Intergration with gnupg will assure this kind of verification to be easily in to place.

Hit me back with comments and/or suggestions.