ChipTuner13d agoYeah this. I think the OP was a bit much. Yes the user could take verification into there own hands like we do, but most wont, so repos, repo maintainers and distributions already (at least the major modern repos) by default already have pretty good signature verification with a pretty user friendly way of verifying and installing keys if needed.
3rd party repos are often signed if users want to get signed packages from the devs too.
💬 2 replies
Thread context
Root: cd9dd6de9fe7…
Replying to: 9f7a4e0f598a…
Replies (2)
franzap13d agoOP was meant to be over the top, correct.
> pretty user friendly way of verifying and installing keys if needed
Not my experience. That's totally fine, this issue is subjective.
0000 sats
Zsubmariner13d agoFor end-users, yeah, the package manager is taking care of it. Even though the key layer actually sucks still, at least it's there. But most devs are way too blasé about supply chain security. Especially in js and rust. I cringe every time I see one of those pipe curl to bash oneliners.
0000 sats