Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
Conversation
Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.
2
I will take a central builder/signer over a bunch of TOFU signing keys for signing random binary blobs who knows built who knows how on who knows what, thank you very much
2
Mystery binaries, signed by random keys. But it’s secure, because TOFU.
1
You’re arguing 15 different points at once in an incredibly incoherent manner while spouting insults.
2
Instead of saying shit like this, if you want to have a productive conversation, provide clarafications? This is just negging.
Quote Tweet
Replying to @bascule and @hdevalence
I never said that.
1
I don't know what else to say beyond that I didn't say that. I don't understand why you're mad at me. I've been trying my best to clarify what I said initially and I wasn't trying to turn it into something hostile.
1
Here is what you said:
Quote Tweet
Replying to @DanielMicay @bascule and @hdevalence
Developers build and sign the binary packages with their own keys. They're responsible for the security of their packages. The package manager trusts packages signed by a packager with at least 3/5 signatures from the master keys on their personal package signing key.
2
A small set of developers has been vetted, received commit access and received signatures for their packaging keys. It isn't open to anyone. They had to have been around as part of the community maintaining source packages outside the official repositories for a long time, etc.
1
It's far from a perfect system. Ideally, every package would have reproducible builds and multiple signatures could be required. That's ongoing work. Many upstream projects also don't sign their releases, and some don't even have HTTPS.