Hacker News new | past | comments | ask | show | jobs | submit login

Not sure about apt, but this is solvable. Arch's pacman supports https and package signing and only packages signed by trusted maintainers will get installed. That means it should be fairly difficult to swap legit packages for malicious ones and them getting installed.

Not impossible, nothing ever is, but fairly difficult.




APT does https and multiple flavors of signing, the repo maintainer just has to use it




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: