Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#62314 - Why trust packages in official repos?
Attached to Project:
Arch Linux
Opened by Anon Amoose (zzz404) - Thursday, 11 April 2019, 23:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 11 April 2019, 23:45 GMT
Opened by Anon Amoose (zzz404) - Thursday, 11 April 2019, 23:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 11 April 2019, 23:45 GMT
|
DetailsLet me start off by saying this is a serious question that I have wondered as an Arch (and general Linux) user. It is not meant to troll, it is not meant to flame Arch or package maintainers.
I could see it being secure if a PKGBUILD was distributed across multiple mirrors owned by different people, and they all had to compile the package and checksums had to match. But right now I understand that you're really just trusting one packager per package. Yes they sign it and you're assured that you're getting their package, but you're still ultimately trusting them not to be malicious. I am not asking this question to offend anybody. It is a serious inquiry, and if there is plans for the future? Has this been discussed before? I would have normally left this for the forums, but it seems an overzealous mod took offense to this question and decided to censor it. https://bbs.archlinux.org/viewtopic.php?pid=1841293 |
This task depends upon