That is only part of th story of course.
You first have to know the persons who are cryptographically signing their packages before you can come to trust them and their signatures.

Someone already does the work and pays the bills;-)

So, all it takes is for someone that knows Panagiotis Nikolaou, and is known to someone that is known to someone... that is known to a trusted person, sing his key?

No of course not.

The important thing is that people must trust the packages, not the signatures.
People will not install random packages created by someone unknown, therefore it is important that the packager participates in the community, so that the potential users of his packages get to know him and can interact with him. Then, if enough trust has been created, people will start using his packages.
Signing the packages is optional and the fact that a package was signed has nothing to do with the quality of the package (i.e. does it work on my Slackware; does it not mess up the permissions of system directories; does it not overwrite system livraries; etc...).

A gpg signature serves only one purpose: to verify that the package you just downloaded and want to install was signed by someone you trust, so that you can be reasonably sure that it does not contain viruses, spyware or malware.

4 members found this post helpful.

Exactly. I'll install pre-built packages from a few trusted sources: you and Robby. That's it. I won't install software that is from an unknown source.

IMHO, no. Back a decade ago or so when I was new to linux, I quickly left ubuntu. Slackware was one that I was interested in, but at the time was to much out of the league for me. So I went to salix which was perfectly suited for what you are asking. After bouncing awhile and LFS,arch, gentoo/funtoo later I came to realize Slackware is what I wanted. I like it the way it is and wish that what your are asking about never happens

1 members found this post helpful.

No. Compiling from slackbuilds is a ducking joke in that it is so fucking easy, I practically just have to run the ./SLACKBUILD and I am good to go. It's almost the same as just typing in the command to install the package except there is more wait time. You also have to remember that slackbuilds is not part of Slackware, it's a project done by separate people. I would be less inclined to use it if it only offered pre-compiled binaries as I would have no clue what they did to them. Currently the source packages are hosted on their original sites (and if not I download it from original) and I can see the slackbuild go see what goes on.

Also, it's a lot of work to push out pre-compiled packages and you lose the option of changing certain options that you get with compiling, like for qemu or libvirt, the user for it to use.

I admit, I've never met Panagiotis in person. However, I have exchanged many emails with him and he seems like a really nice and dedicated guy. On the other hand, you LQ users, do not know me, therefore following the above logic, you cannot come to trust my words either.

So again, how does one earn the trust of the community here? How is one supposed to do that? I am not starting a fight, I am really asking (second time). AlienBob, have you tried and inspected any of the SlackOnly packages? Or you just blatantly state that you would probably not trust them? And this is supposed to imply what?

4 members found this post helpful.

Wouldn't work for me.

I use SlackBuilds (my own and ones on SlackBuilds.org) because I prefer, and very often need, specific options compiled into my software. That's one of the many reasons I use Slackware: it makes this easy.

There are some packages I'm fine using a binary for (from trusted sources) but most of even those packages are pretty trivial to just build for myself, eliminating any perceived advantage to having a binary download. Common exceptions are KDE (I don't feel a need to ever compile that myself, so I'm happy to use Ktown), VLC, and probably a few others. I may find one or two things from slackonly now that I know it exists. But generally, I'm happy to compile the extraneous stuff, and simply must build the tools I rely on for a living because nobody else builds them right for me.

I have met some people irl. That doesn't mean I trust them.

I generally tend to trust people based on experiences I have with them. Maybe I converse with them over IRC or in a forum. They seem rational and legitimately interested in open source, and like a good person, then I start to trust them. At that point, I start to trust software they send me out of the blue, or else I don't fully trust them but I'm curious enough to try software in a VM or something, where I can evaluate it.

Trust develops over time, as a mixture of interpersonal experience. Lacking that, one falls back on the experiences of other people one trusts.

1 members found this post helpful.

Me too. He's clearly contributed a lot of personal time, and (considering storage and bandwidth costs) personal money, into providing this resource for the community.

I've never met you in person. However, I have exchanged many emails with you, and you seem like a really nice and dedicated guy

The community is not monolithic. Some people will download anything, some people will download nothing. But most of us are in-between. We're happy to wait and see whether bad things happen to the people who will download anything

Tell that to all the people in the forum with dependency problems after installing random stuff from pkgs.org

But overall, I agree with what many have said. It is hard to gain trust from someone until you have consistent interaction with them. There's members on this forum, based on my interactions with them, that I would trust with building packages. Many won't give their free time helping out all sorts of new users and diagnosing problems veteran users are having (and everyone in between) if they have malicious intent towards users, and if they do, you can generally notice it relatively quick.

I have a hard time believing that Panagiotis puts in his time and money into this (especially without advertising it) with malcontent in his heart. I'm sure it's not an easy thing to do and it takes a good chunk of time to square away the repos. However, I have never interacted with him, so I can't determine my trust for him. Eric and Robby are easy to trust. If Pat trusts them, there's no reason we shouldn't, but even then, both interact with us on the forum.

But as Altris and notKlaatu (and probably others) have mentioned, I prefer to compile things myself for the options that I'm provided. A lot of the software I use have optional dependencies that I may want to use, while others have optional dependencies that I don't want. It is nice for me to be able to build software that meets my expectations with no more or less fluff than I desire. There are only a few packages I'll grab from Eric, mainly qt5 and openjdk, just because my computer is slow and I don't want to wait for those to build.

I generally don't like pre compiled binaries especially if the source is not available. I've seen too many instances where the source needs a bit of touch up or customization for my purposes. Nvidia drivers and adobe flash suck for this reason.

I have to say that those who have issue with the delay that compile time takes versus the instant gratification of installing a binary... Those ppl need to install Umbuntu.

SlackBUILDS dot org (notice "builds" in bold caps)

One might see the benefit of attracting more ppl to the cause, but what kind of people do you want to attract? Those that are fearful of using a computer to do repetitive, recursive compilation ? Or those ppl who are too lazy to type a few commands on a keyboard?

One bad thing about binary packages is dependencies. Each dependency update must be tested, and that list can get considerably long. Like AlienBob said, who will do all the work?

Debian, for example, host thousands of packages, but they all have to be maintained.

By keeping SBo as a source built system, it cuts down on personnel needs, hosting, costs, etc. Many of the from-source or power user distributions operate on small budgets with a few people. Some like Slackware, BLFS, CRUX, etc. all operate on what amounts to a shoestring budget.

1 members found this post helpful.

With a rare exception, I have not met anybody I interact with on this LQ furum in real life. Nor have I met Pat in real life. If you interact with someone face-to-face you will be able to use all the nonverbal interaction to build a more complete picture of the other person. It will teach you more about the person's character than when you interact purely using asynchronous means of communication like this forum or email.

So how do I get to trust people's work if I never met them? It builds up over time. In the case of Pat and other well-known people it's their reputation that preceeds them. For 'ordinary' people that you see on this forum every day, it is their postings and interactions with other people (not just me) that paints a better picture of who they are. If I want to know more about something that was created by someone else in this community (a script, a package, a tool) I download and dissect it. I will get an idea of the quality of his work, which is the base for building trust. We do the same at SlackBuilds.org ('we' when I was still participating in the admin team but things have not changed there of course after I retired).

Trustlevels also build up when other people (with a good reputation) speak highly of someone I do not know. If many people use the slackonly packages and are happy with it, that speaks in favor of those packages and their packager.

But I still like it better when I have a good picture of someone whose packages I use. That someone does not have to be participating in this community at LQ of course - if Panagiotis is greek he will probably be spending a lot of time on greek forums instead. But then I will not get to know him, and ultimately that means I am less inclined to use his stuff. Same is true for slacky.eu, the package repository of the italian community. That too is a separate group of people, who interact in a language I do not understand, so I will not easily use their stuff.

I do not imply anything, and your last sentence has a suggestive tone I do not like. See how this works? it's like a ladder and you just dropped a few rungs.

Bottom line, you start with participating in a community, and when people get to know your online persona you will be able to build the credibility which you need to earn the trust of the community. When you yourself are not participating in a community and still want to be seen as trustworthy then you need proxies: people in that community who themselves are respected and have credibility, and who will vouch for your trustworthiness.

But as I am the untrusting kind, I will nevertheless still dissect your stuff and form my own opinion of the quality of your work :-)

5 members found this post helpful.