[arch-general] Firefox without signature checking
Magnus Therning
magnus at therning.org
Sun Jan 3 01:08:59 UTC 2016
Leonid Isaev writes:
> On Sun, Jan 03, 2016 at 12:18:36AM +0100, Magnus Therning wrote:
>> How is that stupid? Do you check the sources with each release? *How*
>> do you perform those checks?
>
> OK, fact #0 - I only use software whose upstream I trust.
How do you establish that trust?
> Having said that, I usually pull md5sums and sha*sums in the PKGBUILD, all from
> different sources (upstream, Debian, Gentoo, etc.), if the src is not
> upstream-signed. FF releases _are_ signed (I don't know why the PKGBUILD in
> [extra] doesn't check that), so just have the Mozilla signing key (currently
> 0x61B7B526D98F0353) in your keychain.
>
> If you trust random people in the AUR and never inspect their PKGUILDs, or even
> worse, use their binaries, you deserve to be rooted.
Ah, you mean you check the origins of the source code, not the source
code itself. My bad.
/M
--
Magnus Therning OpenPGP: 0x927912051716CE39
email: magnus at therning.org jabber: magnus at therning.org
twitter: magthe http://therning.org/magnus
I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
-- Alan Kay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160103/28fbb3d4/attachment.asc>
More information about the arch-general
mailing list