Re: Firefox without signature checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, Jan 03, 2016 at 12:18:36AM +0100, Magnus Therning wrote:
> How is that stupid?  Do you check the sources with each release?  *How*
> do you perform those checks?

OK, fact #0 - I only use software whose upstream I trust.

Having said that, I usually pull md5sums and sha*sums in the PKGBUILD, all from
different sources (upstream, Debian, Gentoo, etc.), if the src is not
upstream-signed. FF releases _are_ signed (I don't know why the PKGBUILD in
[extra] doesn't check that), so just have the Mozilla signing key (currently
0x61B7B526D98F0353) in your keychain.

If you trust random people in the AUR and never inspect their PKGUILDs, or even
worse, use their binaries, you deserve to be rooted.

Best,
-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux