Question about the GPGME SigLevel fix

A noobie question I’m curious about:

In the answer posts regarding the GPGME, no data errors [root tip] [How To] Mitigate and prevent GPGME error when syncing your system
it says “There is no security problem with this as the packages are signed and the SigLevel for the repos are usually set to PackageRequired”

Does that only apply to the manjaro repos? If I’m also using other locations such as AUR, does changing the SigLevel cause any potential security issues if that change isn’t reverted?

That is correct.

pacman does not access the AUR, and it cannot, given that the AUR only contains PKGBUILD files, which are build scripts pointing at sources hosted elsewhere. pacman only installs, queries or removes ALPM packages.

That said, the AUR is a third-party repository, and its contents are managed by Arch users, not by Arch, Manjaro, or any of the other Arch-derivative distributions. Therefore, the AUR should always be treated with circumspect.

2 Likes

The SigLevel does not affect AUR. Technically you don’t install packages from AUR, you download a script (a text file) that says how to build the package in your computer. So you don’t actually need signatures, as yourself is the builder (and the package never leaves you computer)

That said, using AUR exposes you to a different kind of threads. For example a malignant AUR maintainer that includes some kind of malware in the building. Not that that happens usually but it’s possible.

2 Likes

Great, thanks for your replies.

I understand (not in depth) the PKGBUILD basics so I check the info as much as I can to see what the scripts plan to do prior to installing.

I was curious due to things like the pamac gui mentioning/allowing the tickbox ‘enable AUR support’ and wasn’t sure if there was any kind of relationship or if it was a total separation.

1 Like

It is indeed separate. The command-line commands of pamac are also different between installing packages from the repos and building AUR packages. See… :point_down:

man pamac
1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.