[masukomi]

and who would that be? Are you suggesting that you ONLY install software signed by developers you have personally verified the keys of? or that you know personally? Because if not, your argument is void because you're trusting completely unknown people who may actively be working to compromise your computer.

The fact that the software was signed doesn't mean anything if you don't actually verify each signature, and even then it only means that what they put up is what you downloaded. It doesn't mean it's not malware. It doesn't mean it doesn't have a back door. It doesn't mean it's not filled with security holes.

[px43]

You don't need to know people personally to trust a signature, you just need to know that the organizations they're coming from are at least somewhat reputable. Ideally, signatures should all chain up to the root of trust in your package manager, which is presumably operated by some entity that you've decided to place some trust in.