You can build the latest yourself https://aur.archlinux.org/packages/usbguard-git/ but it is good that Levente is being diligent in verifying the new maintainers. On Tue, Oct 27, 2020 at 4:31 AM arch user via arch-general < arch-general@xxxxxxxxxxxxx> wrote: > On 27.10.20 03:45, Eli Schwartz via arch-general wrote: > > The point of a signing key is to say "this key certifies the correct > > software and I commit to using it. Anything else is automatically > > suspect as malware". > > > > You don't immediately respond by saying "well it came from the same > > website and some unverified source told me the key totally got lost but > > it's fine. So let's blindly click accept". > > > The only thing a signing key accomplishes is that you can verify what > other commits were made by that signing key, i. e. person. If you > verified the key via a second channel you also know the person the key > belongs to. Anything beyond that is just a point of view. > > A signing key has nothing to do with malware at all. What made you think > the software hasn't been malware in the first place? What makes you > think the person owning that signing key isn't writing good software > until some distros are trusting his key, adding the software as official > package and then the person starts implementing evil backdoors? > > I'm just wondering, because you can easily write malicious software and > sign it with the same key all the time. >
