Arch Linux

Let me start off by saying this is a serious question that I have wondered as an Arch (and general Linux) user. It is not meant to troll, it is not meant to flame Arch or package maintainers.

I could see it being secure if a PKGBUILD was distributed across multiple mirrors owned by different people, and they all had to compile the package and checksums had to match.

But right now I understand that you're really just trusting one packager per package. Yes they sign it and you're assured that you're getting their package, but you're still ultimately trusting them not to be malicious.

I am not asking this question to offend anybody. It is a serious inquiry, and if there is plans for the future? Has this been discussed before?

I would have normally left this for the forums, but it seems an overzealous mod took offense to this question and decided to censor it.

https://bbs.archlinux.org/viewtopic.php?pid=1841293