Due to the current problem with unsigned packages on Arch Linux’s distribution mirrors, I have written a script I can use to compare my pacman sync with multiple mirrors, to help reduce the risk of downloading tampered packages. paccheck is available for download.
Rationale: pacman has no way of detecting when files on any mirror have been compromised. Given that Arch has over 150 mirrors around the world, and these mirrors run assorted operating systems and server software, have hundreds of people with access to the servers, and may be stored on misconfigured or compromised servers, there is no way for an Arch user to evaluate the security of a given mirror. For example, if you use the mirror at ftp.tku.edu.tw, you are downloading your Arch updates from an Apache FTP server running on an Ubuntu machine. Thus your system becomes vulnerable to security problems in Ubuntu or caused by misconfigurations on that server.
Sorry, the comment form is closed at this time.