[morganvachon]

Well, the thing is, I can do all that by getting the source myself directly from the author. Trusting the apt package maintainer to do that places trust in a third party, and beyond that, it's now obvious that apt for who knows how long, was not trustworthy.

Again, I fail to see how getting the source directly from the author and verifying the integrity of the source package is less secure than getting it from third-parties in binary form?

[VLM]

"I can do all that by getting the source myself directly from the author."

Most people won't, making it a net loss to remove an automated system. Also I'm betting you're not getting the source from the author unless you know the author in meatspace. You're trusting his DVCS (github?) not to be owned and his account not to be owned, then trusting someones gzip / tar program, then trusting their webhost who holds that source code file.

There is the interesting aspect that you probably don't spend all your time on software XYZ, but the package maintainer probably does, so if there is funny business, a distro package maintainer is much more likely to notice than yourself.

[jerf]

Author source repos have been hacked before, they'll be hacked again.

I think what people are sensing, even if they can't put their finger on it, is that you're applying fairly arbitrary standards of what's good and bad here. In reality, security is hard to the point of sheer impossibility regardless of what you do, if you hold everything to equally strict standards. If this leads you to write off apt probably the only consistent thing to do is stop using software entirely, honestly. Nothing is secure to that standard, and even with "certified software" one would forever be wondering about whether the certifiers have their own motives. It seems disingenuous to try to use this as an excuse to slag apt specifically, when with the standards you're using you ought to be yelling about many more things, including your putative solution. (How are you sure your signature checking code wasn't compromised?)

[morganvachon]

> Author source repos have been hacked before, they'll be hacked again.

Yes, and when that happens it can affect apt packages and manual installations equally.

> I think what people are sensing, even if they can't put their finger on it, is that you're applying fairly arbitrary standards of what's good and bad here.

I think what's going on is that I made the mistake of saying what I'm inclined to do for me, in a forum that often follows a hive mind approach. I'm not bashing apt, nor Debian, all I said was that I'm inclined to go back to doing things the hard way because it's net more secure for me. I realize that in larger numbers, a system like apt (or yum or pacman) is more secure for users en masse, even factoring in temporary lapses like this. But that was never my focus; I was simply indicating that this would be the final push to send me back to familiar territory on my desktop. Everyone jumped on the bandwagon and tried to claim that I said I wouldn't verify source in Slackware, just so they could "win" a discussion and get fake internet points. It's one of the few things about this community that feels immature to me, but then I remind myself that here I'm an old fart surrounded by kids in college or just coming out of it. It's a completely different mindset.

> How are you sure your signature checking code wasn't compromised?

I covered this in another comment, but years ago I wrote a bog-simple script to verify hashes. My code wasn't compromised because it's my code.

[vacri]

I'm not bashing apt vs you can't even trust the package manager on the most widespread distro*

Please don't change the story like this, then insult the people you're talking to by denigrating them ('hive mind', 'immature', 'fake win', 'bandwagon', 'college naifs'). The people responding to you are not just trying to 'win' 'fake internet points', they're trying to counter FUD being spread around package security.

You speak of people being immature, but your whole paragraph there is a sniffy, passive-aggressive swipe.

[morganvachon]

You speak of changing stories, yet you changed words I typed (I never said the phrases "fake win" nor "college naifs"). You didn't even have to do that to get your point across. That's the kind of immaturity I'm talking about, and you're only proving it further.

While we're on the topic of FUD, did you miss the part where everyone kept insisting I said I didn't verify sources on Slackware, to the point that I had to affirm twice that I do? Anything to make a point, right? Like I said, children being children. It's not a put down, it's simply an observation.

Let me clear this up so there's no confusion: I don't think apt or Debian are bad. I think there is real issue when a glaring security hole like this goes undiscovered for a very long time. That kind of thing makes me want to run back to what I perceive as a safer distro and packaging system, based on my practices when using said system.

As for this community, yes it is indeed mostly college age and slightly older people, who are, to my old mind, "kids". There's nothing wrong with that, and I never said there was, despite your insinuation and word twisting. That's the target audience for a forum attached to a VC firm, as these young minds are the ones launching startups. However, I've lurked here long enough to realize that there is indeed a hive mind approach to conversations, and once a certain set of commenters starts in, the rest of the crowd follows.

My initial post had been voted up several times before the actual FUD on the part of other commenters started, then came the downvote brigade all because the first few replies to me assumed that I didn't validate sources in Slackware builds, hence my opinion was worthless and wrong. By the time I corrected that oversight, the horde had already marched through and nothing I could say from there would change any minds, no matter how rational it was. At one point someone actually tried to say that I was wrong because the author's sources could be poisoned. The fact that that means both the sources I'd grab for a manual build and the sources the apt package maintainer would grab were equally poisoned was lost on that commenter. Logic flew out the window in the rush to prove me wrong.

I know I'll get downvoted to hell for this but I honestly don't give a shit. I come here for news that other sites won't carry, and now I've learned my lesson about saying anything that doesn't mesh with the hive mind. I'll keep my ornery old mouth shut so you bright young minds can keep following the same narrow paths, new ideas be damned. Good evening.

[vacri]

(I never said the phrases "fake win" nor "college naifs")

No, you didn't literally say those phrases, but those were the concepts you were communicating (if you really want to be pedantic, I didn't actually quote you on those; I was listing the concepts). This retreat into "nuh-uh, those weren't my literal words" is a particularly adolescent form of arguing, when you know damn well what you were actually saying.

I'm an old fart too, and I found your comment to be whiny and full of passive-aggression. It was the hypocrisy of that juxtaposed against your calling other people immature that led me to comment.

now I've learned my lesson about saying anything that doesn't mesh with the hive mind

And now for my own turn at immature comments: grow a pair. Comment as you want to. If you get downvoted from time to time, so what? Just don't get all sniffy and whine about 'hive mind' just because your opinion is unpopular. I've complained about the downmod system here for years - check my profile - and there's no need to resort to tired tropes like 'hive mind'. Besides, if you really don't give a shit, then why hand out the derision?