[arch-general] Question about automated builder

[Jakob Gruber]

Another aspect of this is security. Right now, any dev / TU could 
theoretically check in a correct PKGBUILD but upload a binary package 
with *insert malicious content* in it to the repos with a very low 
probability of anyone ever noticing. A (mandatory) central build server 
could guarantee that the package is actually built with the specified 
publically available PKGBUILD.


I'm not a security expert so please call me out if I'm talking nonsense.