On 10/31/2016 05:50 PM, Leonid Isaev wrote: > As a side question... is there a significant difference in signing PKGBUILD vs > the compiled package. Do you realize, when you ask if there is a difference between signing a PKGBUILD vs. a built package, it sounds an awful lot like asking if there is a difference between a PKGBUILD and a built package? Well, of course there is a difference. They are two different things... > Given that when building a pkg, I inspect the PKGBUILD, > what attack is possible when the PKGBUILD is not signed? Off the top of my head, there is *the topic of this thread*. Someone could modify the checksums and deliver fake sources. When the PKGBUILD just says "run `make`", how do you tell the difference? -- Eli Schwartz
