What Are the Security Implications of not Completely Signing Database?

view story

https://bbs.archlinux.org – From this quote:Allan wrote:But, the OP (also?) talks about the local package database on his computer.  That is not signed at all as there is no point.  If someone can modify that, then they can regenerate the signature, or just modify any other piece of software on your computer.Is it going to be easy for anyone other than the authorized user to modify the local package database?And, are the following statements correct:If the repository databases are modified, the hacker might be able to modify the packages on the server (Considering that if someone can modify the local package da (HowTos)