|
|
|
|
|
|
by moe
4159 days ago
|
|
|
Yes, apt is indeed one of the best we have (the one-eyed amongst the blind). Sadly it's still using a flawed[1] trust model where you trust repositories rather than publishers. And the UI-shim over GnuPG is 'basic' at best (to put it politely). To add insult to injury deb/dpkg itself actually does contain a mechanism for package-level signing. But as far as I know no distro is using it. To add even more insult to injury, all mobile platforms and both Windows and OSX have more reasonable package security models than Linux today. [1] This is fine for guarding against compromised mirrors - and not much else. |
|
|
Whether or not this buys you any extra security, I'm not sure. In reality I don't think many users check maintainer keys when asked if they want to trust them, but they could.