Sorry for the yellow title, but this should attract more people into the discussion.
Issue:
$ pacman -Si plasma-angelfish
Repository : community
Name : plasma-angelfish
Version : 1.3.0+14+g0026956-1
Packager : Philip Müller <philm@manjaro.org>
No groups or projects matched your search Packages · GitLab
OR
https://software.manjaro.org/package/plasma-integration
Build Date: Wednesday June 22 13:55
Packager: Philip Müller , Manjaro
Package Source -> https://gitlab.manjaro.org/packages?filter=plasma-integration
$ pacman -Si plasma-integration
Repository : extra
Name : plasma-integration
Version : 5.24.5-2
Packager : Philip Müller <philm@manjaro.org>
plasma-integration is manjaro build, not from Arch, but PKGBUILD only for kde-unstable and not for extra/kde
These are not two cases, there are much more of them. These packages are just examples.
Topics for discussion:
- Is the manjaro PKGBUILD closed source code and not published?
- For all popular distributions, the source code of the packages/build scripts is open and available for study. Are they wrong and shouldn’t do that? How to rebuild a package with a .patch if PKGBUILD is not available?
- There is no way to know exactly how the packages was built. Today it is angelfish, tomorrow it is a fbi-manjaro-backdoor under the old name and impossible to check/control it. How to detect when a package has been infected? Isn’t this a huge security hole?