[pacman-dev] [PATCH 2/3] makepkg: command line options for signing
jgj7.pacmandev at mailnull.com
Sat Feb 19 08:57:31 EST 2011
On Fri, 18 Feb 2011 23:30:22 -0200
Denis A. Altoé Falqueto at 256.com wrote:
> Two new command line options were added:
Nice to see your work with makepkg in this area Denis - that's key (pun). >From what I've reviewed of what you're doing, I would say you're working in an area that needs it for this to gain usage. So thanks! As for laziness, it's hard to get motivated in an area where your work isn't pushed through to actual use (that's what I meant by politics in this). But from what I'm reading it does sound like some of the devs here do 'get it' with regard to the gaping hole in Arch's package security, which is reassuring. I'm amazed there is so much contention on this issue, though.
What Sourceforge had to say after they got caught with their pants down on security:
Sourceforge.net has been around a long time, and security decisions
made a decade ago are now being reassessed. In most cases past
decisions were made around the general principle that we trust open
source developers to work together, play nice, and generally do the
right thing. Services were rolled out based on widespread trust for the
developer community. And that philosophy served us well. But in the
years since then, we’ve evolved from hundreds of sf.net users to
millions, and in many cases it’s time to re-assess the balance between
widespread trust and security.
I think Arch is facing a similar transition. Due the quality work of its dev its coming of age, and part of that means more exposure and interest from a security perspective.
More information about the pacman-dev