[arch-general] Integrating Virus Scanning for Packages Handled by Pacman (Mark Lee)

[Simon Gomizelj]

Packages are signed, unless they're infected at the source, you can't
attach/embed malware in them enroute to your machine.

Upstream could insert much more incidious things into a package then
malware. Scanning for malware is only going to help you find known
pieces of malware with known signautres. Its not going to magically be
able to detect any bit of malicious code. That is simply an impossible
proposition, making scanning for malware a ineffective and virutally
useless technique.

Basically its comes down to trust. If you can't trust the repos, don't use them.