On 2013-04-24 13:47, Mark E. Lee wrote:
As seen by some malignant Android apps, trust in the developer/maintainer does not always work towards the goals of the end users. Packages downloaded from the main repos or built from the AUR should be scanned for both windows and linux malware to ensure Arch Linux pc's don't become carriers for malware. Pacman would benefit from an additional line of package scanning (not just verifying); it's sort of like a second opinion from another doctor.
I am continuing on the assumption that this is serious... The Arch Way is all about handing the power to the user, such changes (which, regardless, are pointless) should be handled by the user directly. What a virus scanner says does not necessarily equal the actuality of whether a virus exists. Besides, what if I *want* to have a virus as part of a package on my computer, for analysis, unit tests, or some such? What if an AV vendor suddenly decides that they have a vendetta against someone, and blacklist them? That has happened many times before. AV vendors are evil, evil, evil. IMO: pointless. GPG verification is almost cost-free to the user. Virus scanning is not, and is just plain wrong. Chris