Sorry for the yellow title, but this should attract more people into the discussion.
$ pacman -Si plasma-angelfish Repository : community Name : plasma-angelfish Version : 1.3.0+14+g0026956-1 Packager : Philip Müller <firstname.lastname@example.org>
No groups or projects matched your search Packages · GitLab
https://software.manjaro.org/package/plasma-integration Build Date: Wednesday June 22 13:55 Packager: Philip Müller , Manjaro Package Source -> https://gitlab.manjaro.org/packages?filter=plasma-integration $ pacman -Si plasma-integration Repository : extra Name : plasma-integration Version : 5.24.5-2 Packager : Philip Müller <email@example.com>
These are not two cases, there are much more of them. These packages are just examples.
- Is the manjaro PKGBUILD closed source code and not published?
- For all popular distributions, the source code of the packages/build scripts is open and available for study. Are they wrong and shouldn’t do that? How to rebuild a package with a .patch if PKGBUILD is not available?
- There is no way to know exactly how the packages was built. Today it is angelfish, tomorrow it is a fbi-manjaro-backdoor under the old name and impossible to check/control it. How to detect when a package has been infected? Isn’t this a huge security hole?