Hey Bratmon!
I read the post...as far as I can see: Arch and Pacman are great pieces of software. The idea of compromised software ending up on the hard drive is a scary one (I for one should know, in windows, that WAS the main scare all the time) and I see paccheck as a great "in the mean time" and a wonderful tool to check the validity of the mirrors. As far as I can see, it is a way to take the pressure off the package signing until that work CAN be done...
To quote some stuff
Quote:
It's just lack of manpower to make it. That's it
|
Well, Linux is an effort of lots of people, all (mostly?) volunteers.
Quote:
From here, shit hit the fan
|
Not needed, Arch is "alive" in that it is a constant work in progress.
Quote:
I challenge you to find any of us that said package signing is or was "unimportant",
|
No, but what I can come in to is that priorities - for the time being - lie elsewhere. So paccheck could be a great tool to act as a "lightning rod" for now. In the end, I am convinced package signing will get there...but it takes time.
I am/was a software developer. I know what it's like to be between more than two fires...
I have actively hand-picked Arch for several reasons, one being stability.
I like linux for what it is: people stuff. It (Arch, that is) helped me get to understand the inside of Linux. Something Ubuntu and Fedora (for all of their good qualities) never did, as they were not designed for that goal.
I for one stress that signing and whatever the "others" have will get there. And I'll stick around for the ride!
Thor
PS thanks for this contribution. Let me end with this thought: between two extremes lies understanding, but both extremes have to meet the other half-way.