[arch-general] usbguard package neglected
Justin Capella
justincapella at gmail.com
Tue Oct 27 13:23:59 UTC 2020
You can build the latest yourself
https://aur.archlinux.org/packages/usbguard-git/ but it is good that
Levente is being diligent in verifying the new maintainers.
On Tue, Oct 27, 2020 at 4:31 AM arch user via arch-general <
arch-general at archlinux.org> wrote:
> On 27.10.20 03:45, Eli Schwartz via arch-general wrote:
> > The point of a signing key is to say "this key certifies the correct
> > software and I commit to using it. Anything else is automatically
> > suspect as malware".
> >
> > You don't immediately respond by saying "well it came from the same
> > website and some unverified source told me the key totally got lost but
> > it's fine. So let's blindly click accept".
>
>
> The only thing a signing key accomplishes is that you can verify what
> other commits were made by that signing key, i. e. person. If you
> verified the key via a second channel you also know the person the key
> belongs to. Anything beyond that is just a point of view.
>
> A signing key has nothing to do with malware at all. What made you think
> the software hasn't been malware in the first place? What makes you
> think the person owning that signing key isn't writing good software
> until some distros are trusting his key, adding the software as official
> package and then the person starts implementing evil backdoors?
>
> I'm just wondering, because you can easily write malicious software and
> sign it with the same key all the time.
>
More information about the arch-general
mailing list