lemmyreader

Oh, I didn’t know that. I just downloaded iso and iso.sig then used gpg commands. The thing I’m worried about is, maliciousy chance of the iso. I probably used German or French mirror to download the iso. Then, failed the verification.

Suggesting the following for the archlinux-2024.05.01-x86_64.iso :

• Put your downloaded iso file and the sig file in ~/Downloads/ if you haven't done so.
• From your Arch Linux installation install the Sequoia sq tool : sudo pacman -S sequoia-sq
• Continue with the following commands : cd ~/Downloads
• sq network wkd fetch pierre@archlinux.org -o release-key.pgp
• sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso

This should unlike with the GnuPG method give no warnings or errors.

Welcome to the penguin party! 🐧

When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up.

There's two different things. The checksum and the GnuPG signature. If you used the GnuPG method to check the signature I can imagine you got a warning because of the GnuPG key owner trust and that's actually expected behavior and should not worry you. Normally when you exchange GnuPG keys with a person in real life, you can compare key fingerprints and after that you would set the owner trust yourself for their key, but with downloaded iso images this is a different use case though if you really want you can set the owner trust to make the warning go away.

AUR appears to be quite popular but sometimes software is flagged out of date or it is dormant because the maintainer has no time any longer and new maintainers may come and go. Basically anyone can upload to AUR and there is no curation. Of course you can look at entries in the AUR and see when software was submitted for the first time and how many people have upvoted it but even that can give a false sense of security. The disclaimer at the AUR is clear : DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

Flatpak has a drawback of pulling in more software that an application depends on (For example GNOME or KDE libraries) and someone has made a website https://flatkill.org of their bad experiences with Flatpak but that is from 2020. In the mean time there is Fedora Atomic desktop flavors depending on using Flatpak.

Arch Linux documentation will warn you about AUR. Other people will warn you about snaps. Some other people will warn you about flatpaks. Same for AppImage.

In my opinion it is fine to use LibreWolf from Flatpak which btw gets a blue mark. Consider editing your post title and add [Solved].

👍

That brings back some memories of a former US president. https://youtube.com/watch?v=Yq7FKO5DlV0

And to answer OP question :

I think most FOSS zealots simply despise capitalism in general, they want everyone else to be poor like them. Kinda like socialism.

One well known exception to your comment is Linus Torvalds. He didn't mind moving to the USA to make some good money after being a student who could afford a whopping 386! And unlike some people believe, the GPL does not restrict a programmer to make money.

Can’t import the keys.

You mean the one mentioned in the Pinned Comments for librewolf-bin in AUR ?