On Sun, Jan 03, 2016 at 12:18:36AM +0100, Magnus Therning wrote: > How is that stupid? Do you check the sources with each release? *How* > do you perform those checks? OK, fact #0 - I only use software whose upstream I trust. Having said that, I usually pull md5sums and sha*sums in the PKGBUILD, all from different sources (upstream, Debian, Gentoo, etc.), if the src is not upstream-signed. FF releases _are_ signed (I don't know why the PKGBUILD in [extra] doesn't check that), so just have the Mozilla signing key (currently 0x61B7B526D98F0353) in your keychain. If you trust random people in the AUR and never inspect their PKGUILDs, or even worse, use their binaries, you deserve to be rooted. Best, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D