The software supply chain for Linux distributions is under growing pressure. Several distributions have recently suffered from infected packages caused by compromised or malicious upstream sources, including core libraries, leading to significant security implications.
These incidents prompted Arch Linux to reflect on the way we handle our package sources.
With the objective of bringing greater transparency to our packaging process, we revisited historical decisions and established updated guidelines and best practices for selecting trustworthy sources for our packages, in order to prevent (or at least mitigate) such potential security threats in the future.
This talk will share an overview of the specifications and guidelines we established during this reflection.