[foobarqux]

Signing keys can easily be distributed out of channel and also verified through a chain of trust. Even if you got a forged key you could, at minimum, detect post-facto that the key was fake.

Moreover, there are things you can build on top of signed packages (distributed consensus of signatures and keys) that can't be built on top of curl+pipe.

curl+pipe is mental.

[SwellJoe]

You're right, and I agree with you. Packages that are signed by a trusted party are a reasonable choice; anything less is not reasonable.

But, lots of people add third party software repositories without out-of-channel confirmation of signing keys, and without any awareness of the risks involved in that. I see it more than most (I support server-side software products with a million or so installations), and I'm amazed at how often third party repos are enabled on people's systems, seemingly without any reason other than "more software is better". They often don't even know why/when they enabled those other repos or who operates them.

That's no different than this curl+pipe scenario.

[foobarqux]

Yeah third party repos are pretty unreasonable. The problem is that software development now moves pretty fast and package maintainers can't or don't want to keep up. That, coupled with the fact that building packages is far too difficult for most distros incentivizes people to take risks that they shouldn't be taking.

Systems need to be safe by default and they should largely service the needs of users. Distros are no longer doing that.

[unfamiliar]

>They often don't even know why/when they enabled those other repos or who operates them.

Most likely because they either blindly followed instructions from a website or blindly ran an install script from a website, giving it root access. In which case it is basically equivalent to curl + pipe.