FS#62314 - Why trust packages in official repos?
Attached to Project:
Arch Linux
Opened by Anon Amoose (zzz404) - Thursday, 11 April 2019, 23:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 11 April 2019, 23:45 GMT
Opened by Anon Amoose (zzz404) - Thursday, 11 April 2019, 23:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 11 April 2019, 23:45 GMT
|
Details
Let me start off by saying this is a serious question that I
have wondered as an Arch (and general Linux) user. It is not
meant to troll, it is not meant to flame Arch or package
maintainers.
I could see it being secure if a PKGBUILD was distributed across multiple mirrors owned by different people, and they all had to compile the package and checksums had to match. But right now I understand that you're really just trusting one packager per package. Yes they sign it and you're assured that you're getting their package, but you're still ultimately trusting them not to be malicious. I am not asking this question to offend anybody. It is a serious inquiry, and if there is plans for the future? Has this been discussed before? I would have normally left this for the forums, but it seems an overzealous mod took offense to this question and decided to censor it. https://bbs.archlinux.org/viewtopic.php?pid=1841293 |
This task depends upon