How is the origin of packages secured?
How does Jolla protect packages sent from Jolla server to a client instance during pkcon install process from being intercepted by a middleman or being tampered with? How are signatures shared and verified, hash verification during download to user?
Take at look at what SUSE does, Sailfish uses their programs for handling the RPMs. Anyway, RPM sucks hard...
PS: I would recommend changing the title, it implies that a security issue was discovered 'How are packages and apps verified?'
hoschi ( 2016-12-02 09:04:00 +0200 )edit@hoschi whilst I agree that rpm can suck hard, there's plenty of reasons why the rest out there sucks even more.
tortoisedoc ( 2016-12-02 09:25:33 +0200 )editIf TAR (pacman or pkgtool) or even DEB (apt) sucks more than RPM, the hell will freeze.
hoschi ( 2016-12-02 19:55:50 +0200 )editMost distros (such as Fedora) sign their packages and the have the package manager verify the signature before installation. If the package was tempered with (or even just corrupted) during transfer, the signature will be different and the package will be rejected.
I assume Sailfish OS does the same thing as not doing it would be rather insane, but an official confirmation would be nice. :)
MartinK ( 2016-12-02 21:05:51 +0200 )edit