[arch-general] usbguard package neglected
p5l3jutd3ln5gsy0 at mailban.de
p5l3jutd3ln5gsy0 at mailban.de
Tue Oct 27 11:31:04 UTC 2020
On 27.10.20 03:45, Eli Schwartz via arch-general wrote:
> The point of a signing key is to say "this key certifies the correct
> software and I commit to using it. Anything else is automatically
> suspect as malware".
>
> You don't immediately respond by saying "well it came from the same
> website and some unverified source told me the key totally got lost but
> it's fine. So let's blindly click accept".
The only thing a signing key accomplishes is that you can verify what
other commits were made by that signing key, i. e. person. If you
verified the key via a second channel you also know the person the key
belongs to. Anything beyond that is just a point of view.
A signing key has nothing to do with malware at all. What made you think
the software hasn't been malware in the first place? What makes you
think the person owning that signing key isn't writing good software
until some distros are trusting his key, adding the software as official
package and then the person starts implementing evil backdoors?
I'm just wondering, because you can easily write malicious software and
sign it with the same key all the time.
More information about the arch-general
mailing list