Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

5
  • Not all distros use signed packages ((( but then people shouldn't be using such, but how will they know? Lastly, have you actually verified Ubuntu rejects unsigned/badly signed packages? I've verified that in Fedora - works beautifully, never seen anyone demonstrate it in Ubuntu. Commented Jul 11, 2022 at 7:57
  • I’m answering for Ubuntu, not all distros ;-). And yes, the package manager refuses unsigned or badly-signed repository metadata, and rejects packages which don’t match the repository metadata. Commented Jul 11, 2022 at 8:06
  • 1
    Agreeing with what you write (and on a side note able to confirm that this would be true with gentoo's portage too), one could nevertheless highlight that the highest risk with unsecured networks is not that much on the trustability of what you download than on the high probability of what you download leaking. Relating to system updates and, depending on the system, it might be considered a security risk to have the world and his dog knowing precisely the software it is running. Commented Jul 11, 2022 at 8:52
  • Please note that (at least) no firmware package could be signed with a debian logo as there is no way to know what is inside those. (The second column in a synaptic list of packages). Commented Jul 11, 2022 at 9:15
  • @QuartzCristal signatures don’t say anything about what’s inside a package; they serve to prove that packages haven’t been tampered with. Commented Jul 11, 2022 at 9:22