8 Mar
2013
8 Mar
'13
2:47 a.m.
On Thu, Mar 7, 2013 at 10:34 PM, R. Mattes <rm(a)mh-freiburg.de> wrote:
Which distribution _doesn't_ sign it's packages? What code is weakly protected?
Even most major download/DVCS sites use secure communication channels these days
(https). The problem is the naive asumption that self-compiled code would be more
secure. Not a Linux problem, I'd say ...
Smaller distros don't necessary sign packages (mine, Arch, started
doing it relatively recently). The implicit 'trust-the-dev' still
applies though, even with signing.