Closed alfredopalhares closed 3 years ago
kayrus
commented
3 years ago I'm afraid I'm quite skeptical on providing the links to a private repository that I don't trust or control. The official way to install the binary is to download it from https://github.com/kayrus/gof5 releases page. I'm very sorry, I can publish a link only if there is an official arch repo. Let me know if you have complains or just close the PR.
alfredopalhares
commented
3 years ago While I don't agree with your point of view, since the Arch Linux usually review The PKGBUILD (AUR package managers are build this way), and I the method I use its just download the one binary from the releases page. I respect your decision and I understand your concerns, you can close this Pull Request if you like.
Thank you for the software! Regards, Alfredo Palhares
kayrus
commented
3 years ago @alfredopalhares quite realistic scenario is to make a https://github.com/kayruz/gof5 fork with malicious code (remember, gof5 requires sudo), hack your aur account and substitute the repo URL. This can be also true with github, but github has 2FA. This scenario is less probable, but when you have two minor security issues, they combine and can lead to a high risk issue. Therefore it is better to avoid official packages, besides gof5 is still in beta state.
This closes #19
Just adding some information on the README