alt Hacker NewsI hear you, but consider xz. I'm a professional with decades of experience and I'd be lying if I said I'd have caught that. How long would an audit have taken, realistically? You're not wrong, but I don't think the GP is, either.
I hear you, but consider xz. I'm a professional with decades of experience and I'd be lying if I said I'd have caught that. How long would an audit have taken, realistically? You're not wrong, but I don't think the GP is, either.
Yeah, xz found its way to official repos, that's way more disturbing and scary that this (faux) issue about malware on AUR/user-generated websites.
I don't review updates to official packages on Arch, I don't think most people have time to do so, it's just way too much. Things change when we talk about AUR though, as those aren't vetted, those you need to take the time to review, otherwise you're basically installing completely unreviewed software from strangers on the internet.