[arch-general] Firefox without signature checking
Emil Lundberg
lundberg.emil at gmail.com
Sat Jan 2 23:31:21 UTC 2016
>
> >> But I also have to with a source-package since I won't check the
> >> sources with each release ;)
> >
> > Which is plain stupid.
>
> How is that stupid? Do you check the sources with each release? *How*
> do you perform those checks?
>
Perhaps there's a misunderstanding here. Not checking at least the PKGBUILD
on each rebuild *would* be reckless at best and plain stupid at worst, but
that's not what you suggested. Assuming trust in the upstream, I don't see
too big an issue with simply asserting that the PKGBUILD pulls the source
from the right place over an authenticated channel (i.e. HTTPS) and doesn't
do anything weird in the build functions.
>
More information about the arch-general
mailing list