Denis A. Altoé Falqueto on Wed, 2013/04/24 17:18:
> I would say that the best way to assure you're using the correct file,
> as intended by the original developers, is to use digital signatures
> to check the sources. Not all projects sign their releases, but for
> those who do, you can use makepk
Packages are signed, unless they're infected at the source, you can't
attach/embed malware in them enroute to your machine.
Upstream could insert much more incidious things into a package then
malware. Scanning for malware is only going to help you find known
pieces of malware with known signautre
On Wed, 2013-04-24 at 13:47 -0400, Mark E. Lee wrote:
> As seen by some malignant Android apps, trust in the
> developer/maintainer does not always work
IMO this is an improper comparison. The Android community is completely
different to the Linux, BSD etc. communities. You might call Android a
Li
No.
There is package signing now. You already verify that the guy who put
his package on the repo is the guy you trust as your binary source.
How do you know? Because you could build the exact same binary with an
archlinux source package and current devtools. The unholy mess gcc is
is entrusted wi
On Tue, Apr 23, 2013 at 2:10 PM, Mark E. Lee wrote:
> While building packages on the AUR, I was wondering that except for
> manual user intervention (by reading the code), I didn't have any other
> methods of knowing if a package had malware or viruses. Hence, I was
> wondering if virus scanning v
On 2013-04-24 13:47, Mark E. Lee wrote:
> As seen by some malignant Android apps, trust in the
> developer/maintainer does not always work towards the goals of the end
> users. Packages downloaded from the main repos or built from the AUR
> should be scanned for both windows and linux malware to en
On Wed, 2013-04-24 at 12:57 -0400, arch-general-requ...@archlinux.org
wrote:
> On Tuesday, April 23, 2013 06:56:56 PM Daniel Micay wrote:
> > On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee
> wrote:
> > > While building packages on the AUR, I was wondering that except
> for
> > > manual user interven
On Tuesday, April 23, 2013 06:56:56 PM Daniel Micay wrote:
> On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee wrote:
> > While building packages on the AUR, I was wondering that except for
> > manual user intervention (by reading the code), I didn't have any other
> > methods of knowing if a package h
On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee wrote:
> While building packages on the AUR, I was wondering that except for
> manual user intervention (by reading the code), I didn't have any other
> methods of knowing if a package had malware or viruses. Hence, I was
> wondering if virus scanning v
While building packages on the AUR, I was wondering that except for
manual user intervention (by reading the code), I didn't have any other
methods of knowing if a package had malware or viruses. Hence, I was
wondering if virus scanning via clamav should be called before pacman
installs packages.
10 matches
Mail list logo
