So you're saying... blindly trusting someone else that is unknown to build and blindly sign a package is more secure than you downloading the pkgbuild with cower or something, looking at the PKGBUILD, and then using makepkg... How is that? Second, where do you propose the computing time and the storage space comes from to support this kind of repository? Daniel > Date: Fri, 11 Apr 2014 16:06:40 -0600 > From: havoc@xxxxxxxxx > To: arch-general@xxxxxxxxxxxxx > Subject: Re: [arch-general] Is Voting Effective? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/11/2014 03:57 PM, Daniel Micay wrote: > > Packages are included in the repositories if and only if a > > developer or trusted user is interested in maintaining the package. > > In my opinion, it's best for packages to be maintained by people > > who actually use and care about them even if it means that they're > > in the AUR instead of the official repositories. These AUR > > maintainers have the opportunity to apply as a trusted user in the > > future. > > > > That's a good point point, and I agree. > > My problem with the AUR is just its lack of security. Even an automatic > "build and sign as many AUR packages as possible" kind of repository > would be beneficial, since it would at least ensure that every Arch > Linux user is getting the same copy of the package, which would make it > a lot harder for an attack to go unnoticed. > > So, I'm really not annoyed that that important packages are in the AUR > just for the sake of their being in the AUR. I'm annoyed that their > being in the AUR makes it extremely difficult to access them securely. > > - -- > Taylor Hornby > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTSGdwAAoJEN+oIJzpZ41d1kcP/iduFcPrS+sfEMF0iZkCpk36 > svscbt9CM6+x92nSLUtdUTbEVIoBSncasVGgm3ktQtZx43+FV6vK2OKozNcC/myX > l9C0dv+BHcIKz+irNc9elgNU6w7PcmPaPAOokIvS+VWcge+Wcw6+FJbA3GY4IVUk > YU8XwyCLg8sS+gLEKhSdtKiTDFNIcTXmuZyuF5hxWKsroIrLIQPAfqKh3bgCKUW6 > j6CYeV6PZ7QKdiky7ANOqQ+k3wfmWfk7LhIG/9A0bvvWkf23+mwB6ah8N6verpm9 > TduawhFD7Ns1Wf1n6sJDDlywbq3ZnNvHKVNuz4oKFutgLd9Qh+xtPs1b6cUJ7Par > IIvcxT5iKduVwTDydAnJffBu4qIHDTS/GH/PA3mO+8TA1jWDYudgxb5rvIrM7tx5 > 3wT5Zv4lSoWdZiRyItViJCYiGpBMUmJVmW6g0t+zQRIzcwrxze151XTWwiBru9/4 > P4Vp6jlfJuHeGijOsJ87yTs385qEPliyCsiH4R/6sOVF10rN7qlMH4rm3MhGZhWw > u7f3mx49CHE+wvMthmYHxzDDVUtNTAHRnHJ69FV4ZM7d3XdFh3Q92EjdiupguKQx > hDVCxsa1w2Ayo7l481DY89r+/buWgx/Zya40ZkQPYAGMZQZUNF0R6A2PEMNwLy98 > 58MIP7AB1tYqCjacFh0A > =ifsP > -----END PGP SIGNATURE-----
