[morganvachon]

So then what's the difference between a broken apt not properly validating the source, and the user getting the source from the author, validating it by hand, and then compiling and installing? At least in the latter scenario, the user can be sure it's properly validated.

Personally, I'll choose the latter. Not only is apt a middleman, now it's a compromised middleman. Throw out the middleman and you have only yourself and the author.

[JacobEdelman]

You are willing to go through that much effort to download a single package? Sure I love my privacy and security but I have never had a problem on Ubuntu with that. If I ever have to do something particularly sensitive setting up a virtual machine or booting a different OS temporarily would be less effort.

[morganvachon]

Do I verify signatures when downloading and building from source on Slackware? Yes, I do. Slackware itself comes with nearly all the software I need already. The few programs I need to get beyond that, I always verify hashes. I do this using a script I wrote myself (I'm not a programmer by trade but I can bash out a script, no pun intended). I really don't understand why that's surprising; slackbuilds.org encourages its users to verify source tarballs before compiling, and it's a few seconds of extra work.

[hrjet]

The few seconds of manual verification can add up, especially when millions of users do it. That effort could be better spent in auditing a middle-man tool and fixing it for the benefit of all.