Hyolobrika (left)  

https://man.archlinux.org/man/pacman.conf.5#PACKAGE_AND_DATABASE_SIGNATURE_CHECKING

Optional (default)

Signatures are checked if present; absence of a signature is not an error. An invalid signature is a fatal error, as is a signature from a key not in the keyring.

How the fuck is this the default? it should at least be switched to

Required

Signatures are required; absence of a signature or an invalid signature is a fatal error, as is a signature from a key not in the keyring.

when adding mirrors. Preferably automatically. Or there should be a very clear warning.

1
m0xEE
Follow

@Hyolobrika
I might be wrong, but I suppose no one uses Arch in their critical infrastructure which makes the supply chain attack unlikely. For rolling release distro signing everything would likely create a significant overhead and no benefit 🤷

· Web · 0 · 0 · 0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml