Leonid Isaev writes:
On Sun, Jan 03, 2016 at 12:18:36AM +0100, Magnus Therning wrote:
How is that stupid? Do you check the sources with each release? *How* do you perform those checks?
OK, fact #0 - I only use software whose upstream I trust.
How do you establish that trust?
Having said that, I usually pull md5sums and sha*sums in the PKGBUILD, all from different sources (upstream, Debian, Gentoo, etc.), if the src is not upstream-signed. FF releases _are_ signed (I don't know why the PKGBUILD in [extra] doesn't check that), so just have the Mozilla signing key (currently 0x61B7B526D98F0353) in your keychain.
If you trust random people in the AUR and never inspect their PKGUILDs, or even worse, use their binaries, you deserve to be rooted.
Ah, you mean you check the origins of the source code, not the source code itself. My bad. /M -- Magnus Therning OpenPGP: 0x927912051716CE39 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus I invented the term Object-Oriented, and I can tell you I did not have C++ in mind. -- Alan Kay