03-26-2021, 03:51 AM
(03-24-2021, 04:26 PM)ImmyChan Wrote: Is there any way to verify these packages are clean?
That somewhat depends on what you mean by clean.
They're all signed with my key (https://privacyshark.zero-credibility.ne...yshark.txt, A98C3D1364D8C16408143C2E2954CC8585E27A3F), so you can at least be sure that they're always put there by the same person.
You can either verify them by hand with gnupg, or have them verified by pacman automatically by adding that key to your pacman-keys and setting the appropriate SigLevel in your pacman.conf.
The build scripts / PKGBUILDs are all public at https://gitlab.com/ohfp/pinebookpro-things, https://gitlab.com/librewolf-community/browser/arch and https://gitlab.com/ohfp/caidao ; with librewolf and caidao even the build process jobs can be inspected as it's done with the gitlab CI at https://gitlab.com/ohfp/caidao/-/jobs and https://gitlab.com/librewolf-community/b...rch/-/jobs.
Other than that, there's no way to guarantee it. It might be possible to get it all done as reproducible builds, but if that was demanded, I'd recommend just taking the PKGBUILDs and building it directly in the first place – those can be inspected and you remain fully in control.
So basically: as clean as I can "promise", and if that's not sufficient, everything to build the packages yourself is provided – the repository is just offered as a "convenience" to make using packages with more complicated / lengthy build processes easier and to provide a few specific packages all in one place.
Sometimes packages even get upstreamed to the Manjaro repos (element/riot, bitwarden), which is the best possible outcome – but until then (one could probably ask over there for packages to be included, if desired), that's what I can offer
