On Thu, Sep 1, 2016 at 1:47 PM, Eli Schwartz via arch-general <arch-general@archlinux.org> wrote:
On 09/01/2016 12:41 PM, Diego Viola via arch-general wrote:
Sorry, I didn't meant to be rude or be offensive towards the AUR, the AUR is great, but when using things like bitcoin, how can you be safe that using bitcoin-qt from the AUR is fine?
What Emily suggested, actually building it myself works fine, but is there anything else I can do in order to verify my binaries if I'm using someone else's build?
This tells me that you do not actually know what the AUR is.
The AUR is a collection of build scripts (in Arch Linux parlance, the "PKGBUILD"), which describes how to download and build a package. Yourself.
:) :)
You can trust an AUR package to the same extent you can trust your own eyeballs, which you use to read the PKGBUILD and confirm that it is doing the same thing the stable PKGBUILD in the ABS is doing.
-- Eli Schwartz
I actually know that, yes. My point is that there can be bad PKGBUILDs out there that could fetch the bitcoin-qt binary from somewhere else, which means I'll need to review the PKGBUILD beforehand or write my own. I admit to not use the AUR a lot (I stick mostly to packages from the repos), but I understand how the AUR works. Diego