[maweaver]

Using what mechanism? Most Linux updates are not pushed but rather pulled at the user request. You can use Linux totally offline. This is fundamentally different than a webapp, where code is sent with every visit

[izacus]

The automatic updates most distros have enabled by default. Signal desktop outright stops working if you don't constantly pull updates from them.

[63stack]

Debian requires unattended-upgrades to be installed (it's not installed by default), Mint and Fedora has the option of enabling automatic updates (disabled by default), Arch has no mechanism for automatic updates.

Which ones are these "most distros"?

[the8472]

Distros have mirrors and they don't know which one you use. The updaters don't send user IDs and downloading the package lists is separate from downloading the packages. So targeted backdoor distrubution is much harder than a company's web UI with user logins targeting a specific user.

[littlestymaar]

Signal pushing updates every other day is pretty much a security anti-pattern though. It makes it almost as vulnerable as a web app to this kind of thing, but this isn't the typical Linux software experience by any stretch.

[izacus]

A typical user experience is Ubuntu/Fedora with Auto Updates from repos enabled.

[victorbjorklund]

Can you honestly say that you never ever updated anything in a Linux distro without first reading all the code, comparing all the checksums etc?

[aragilar]

The checksums are verified automatically, based on a key bootstrapped by the original install (which could, though likely not done, be verified by other means). As happened with xz, you either get everyone or no-one.