[pacman-dev] [ Package Signing ] Your signature please

Jelle van der Waa jelle at vdwaa.nl
Sat Feb 19 14:15:44 EST 2011

On Sat, 2011-02-19 at 20:05 +0100, Alf Gaida wrote: 
> >Yeah! Archers deserve to die!
> >
> >But really I'm not convinced by this hyper-paranoia trash.
> >There will always be ways to compromise your machine. Someone who would
> >go through the trouble of setting up a proxy mirror and injecting
> >malicious code into seemingly normal packages is probably going to find
> >other ways. Package signing will not protect you.
> >
> >You will never be safe.
> >The truth is out there.
> This is opensource  - if you would create real trouble, just help with kernel-
> modules. ;) The only difference is, in other distributions these errors came 
> through your system signed.
> Why hacking, when simple development is so easy? 

I don't understand what you are saying, but in short.

You can't force Allan / any pacman-dev to create package signing for
pacman. If you really want to get this feature into pacman/archlinux
(dbscripts etc. needs to be redone too):

-read the code
-add patches
-wait for devs to sign them off

on a side note:

Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20110219/81cb85b8/attachment.asc>

More information about the pacman-dev mailing list