Leonid Isaev writes: > On Sun, Jan 03, 2016 at 12:18:36AM +0100, Magnus Therning wrote: >> How is that stupid? Do you check the sources with each release? *How* >> do you perform those checks? > > OK, fact #0 - I only use software whose upstream I trust. How do you establish that trust? > Having said that, I usually pull md5sums and sha*sums in the PKGBUILD, all from > different sources (upstream, Debian, Gentoo, etc.), if the src is not > upstream-signed. FF releases _are_ signed (I don't know why the PKGBUILD in > [extra] doesn't check that), so just have the Mozilla signing key (currently > 0x61B7B526D98F0353) in your keychain. > > If you trust random people in the AUR and never inspect their PKGUILDs, or even > worse, use their binaries, you deserve to be rooted. Ah, you mean you check the origins of the source code, not the source code itself. My bad. /M -- Magnus Therning OpenPGP: 0x927912051716CE39 email: magnus@xxxxxxxxxxxx jabber: magnus@xxxxxxxxxxxx twitter: magthe http://therning.org/magnus I invented the term Object-Oriented, and I can tell you I did not have C++ in mind. -- Alan Kay
Attachment:
signature.asc
Description: PGP signature
