[pacman-dev] [PATCH 2/3] makepkg: command line options for signing

[IgnorantGuru]

On Fri, 18 Feb 2011 23:30:22 -0200
Denis A. Altoé Falqueto at 256.com wrote:

> Two new command line options were added:

Nice to see your work with makepkg in this area Denis - that's key (pun).  >From what I've reviewed of what you're doing, I would say you're working in an area that needs it for this to gain usage.  So thanks!  As for laziness, it's hard to get motivated in an area where your work isn't pushed through to actual use (that's what I meant by politics in this).  But from what I'm reading it does sound like some of the devs here do 'get it' with regard to the gaping hole in Arch's package security, which is reassuring.  I'm amazed there is so much contention on this issue, though.

What Sourceforge had to say after they got caught with their pants down on security:
 
    Sourceforge.net has been around a long time, and security decisions
    made a decade ago are now being reassessed. In most cases past
    decisions were made around the general principle that we trust open
    source developers to work together, play nice, and generally do the
    right thing. Services were rolled out based on widespread trust for the
    developer community. And that philosophy served us well.  But in the
    years since then, we’ve evolved from hundreds of sf.net users to
    millions, and in many cases it’s time to re-assess the balance between
    widespread trust and security.
    http://sourceforge.net/blog/sourceforge-attack-full-report/

I think Arch is facing a similar transition.  Due the quality work of its dev its coming of age, and part of that means more exposure and interest from a security perspective.