[arch-general] Firefox without signature checking
Leonid Isaev
leonid.isaev at jila.colorado.edu
Sun Jan 3 00:23:41 UTC 2016
On Sun, Jan 03, 2016 at 12:18:36AM +0100, Magnus Therning wrote:
> How is that stupid? Do you check the sources with each release? *How*
> do you perform those checks?
OK, fact #0 - I only use software whose upstream I trust.
Having said that, I usually pull md5sums and sha*sums in the PKGBUILD, all from
different sources (upstream, Debian, Gentoo, etc.), if the src is not
upstream-signed. FF releases _are_ signed (I don't know why the PKGBUILD in
[extra] doesn't check that), so just have the Mozilla signing key (currently
0x61B7B526D98F0353) in your keychain.
If you trust random people in the AUR and never inspect their PKGUILDs, or even
worse, use their binaries, you deserve to be rooted.
Best,
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
More information about the arch-general
mailing list