so whilst we sort out what broke in the last couple builds (and please don't install them on anything you care about!) I'd wanted to mention something that has been in place for a while. Stephen walker did the original work ages ago, and the ohgf folk picked it up and tested it and helped get it into the openwrt mainline recently (Evan hunt, steven barth, others)
Package signing has been a feature that has helped make the mainline linux distros much more secure and it much safer to do things like mirror package databases and yet avoid malign updates. Now, I'm not terribly clear on how it all works in openwrt, but it can be enabled at least, now, with adding the following lines to /etc/opkg.conf option check_signature 1 option signature_ca_file /etc/ssl/certs/opkg.pem root@CMTS:/# opkg update Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1/packages/Packages.gz. Updated list of available packages in /var/opkg-lists/vancouver. Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1/packages/Packages.sig. Signature check passed. Package signing does not save you from versioning errors, however. # opkg update Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6/packages/Packages.gz. Updated list of available packages in /var/opkg-lists/vancouver. Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6/packages/Packages.sig. Signature check passed. But it should make it more possible to be assured that the package you are adding or updating was indeed from the maintainer or vendor making the product. There is support for multiple signing keys and multiple repositories. Future versions of cero will be signed. -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html _______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
