undefined | Better HN

0 pointsdeadbunny7y ago0 comments

Sure it does. I add that companies repo to my sources and install their packages. I'm trusting their keys to install their software. I'm not trusting them to install software they have zero control over.

0 comments

3 comments · 1 top-level

TingPing7y ago· 2 in thread

Flatpak repos are GPG signed, nothing changes.

deadbunnyOP7y ago

Yes it does. I go from trusting one vendor (with one key) to install one package (and dependencies) to one 3rd party repo (with one key) to install N packages, and the owners of the 3rd part repo don't verify the uploaders to their repo.

That's going from trusting 1 person to trusting thousands.

TingPing7y ago

There is nothing stopping one repo containing one app+runtime.

1 more reply

j / k navigate · click thread line to collapse