When did I ever say I wouldn't verify signatures? Does everyone here just assume that because I didn't spell it out that I wouldn't do that?
The only difference between me validating the source and building and installing it myself, and trusting apt to do all that for me, is that apt has been proven to be vulnerable. I'm not going to purposely install non-vetted code on my system, but now it's been proven that apt very well might do that. Again, how is a broken apt more secure than me manually vetting the source, when it comes to my own system?
The only difference between me validating the source and building and installing it myself, and trusting apt to do all that for me, is that apt has been proven to be vulnerable. I'm not going to purposely install non-vetted code on my system, but now it's been proven that apt very well might do that. Again, how is a broken apt more secure than me manually vetting the source, when it comes to my own system?