[arch-general] Integrating Virus Scanning for Packages Handled by Pacman (Mark Lee)

Chris Down chris at chrisdown.name
Thu Apr 25 04:53:10 EDT 2013

On 2013-04-24 13:47, Mark E. Lee wrote:
> As seen by some malignant Android apps, trust in the
> developer/maintainer does not always work towards the goals of the end
> users. Packages downloaded from the main repos or built from the AUR
> should be scanned for both windows and linux malware to ensure Arch
> Linux pc's don't become carriers for malware. Pacman would benefit from
> an additional line of package scanning (not just verifying); it's sort
> of like a second opinion from another doctor.

I am continuing on the assumption that this is serious...

The Arch Way is all about handing the power to the user, such changes (which,
regardless, are pointless) should be handled by the user directly.  What a virus
scanner says does not necessarily equal the actuality of whether a virus exists.

Besides, what if I *want* to have a virus as part of a package on my computer,
for analysis, unit tests, or some such? What if an AV vendor suddenly decides
that they have a vendetta against someone, and blacklist them? That has happened
many times before. AV vendors are evil, evil, evil.

IMO: pointless. GPG verification is almost cost-free to the user. Virus scanning
is not, and is just plain wrong.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130425/2510c683/attachment.asc>

More information about the arch-general mailing list