-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 04:27 PM, Daniel Wallace wrote: > So you're saying... blindly trusting someone else that is unknown > to build and blindly sign a package is more secure than you > downloading the pkgbuild with cower or something, looking at the > PKGBUILD, and then using makepkg... I'd also argue that not all users know how to do that, and the process is time consuming (especially when there are dozens of dependencies), so it's effectively impossible for a subset of users. I realize that contradicts the "user-centric not user-friendly" section of The Arch Way, but if there's any reason something should be allowed to violate that rule, it's security. - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSIGKAAoJEN+oIJzpZ41dolcQAJp7fWsCQoXCviRj5zvFJbRw fFxpOfV6La58qSMO7GeKR1kYxnQWCjwiV+4SkqO8WJ5hnBFEE8EYLdAoW62PB8yK oDZICgd1B7Ut84j5UfmbNdNQ63pU9YY7cas/iNaqDbe/DR2q0tgcbRFC/oQRNchF h5M6yX8IsId0qUT9Omo+gsmpW+uUEhj99o0Hormu2Vrv5P9jIZHqN3fD9+w5NNrZ BM+cU23P01H+oSU2kUsoiv2Hh+X2p4TZJdVeBhnsKbuvSoKHdTf5aC87SgS0UdF0 1p1G+gNSlWLhPsmMAd9ranydH2AC2xupHAc4fPGVIGU2SygpKN9qgBZmgnqMnR+3 1cPmz5/94L+Rl+J2kv79vgLzDphILwSNN+69DRuXbMv3lmzYwdYLZ1nz5YT7NPP7 N798pzsIsKvLc4Nklbl2xUKYSSByX7eymVuPMxqP8DI329mXf0fJFeAg1NrZaJ8U phbHJN7AN5Uz1WQhOvI5bh7mCecTyDCtdppAVMjcVBmfgKE1cvcWdqeo/KpqEF3b 8KX2zD0mDBsQ4Ww2XqlPiev7u6XJMqUY9Vi8R+wY2wfSz7acVux497ZIMfWixfNq Sl0bfEvdYOhAhWq1+jk/G4MDds5nptLj7CZq2FUhBIDmMdn35nJ7mHebPZ8RtVsX ANNCsGQLwqvAHdm7Fo4H =PTfZ -----END PGP SIGNATURE-----
