156
"GitHub" Is Starting to Feel Like Legacy Software - The Future Is Now
(www.mistys-internet.website)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 13 Jul 2024
156 points (90.6% liked)
Open Source
30274 readers
305 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
My bad for causing confusion: when I wrote "trusted signature" I should have said "trusted public key".
The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).
For the software you install from your distro's "official" repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that's beyond the point here).
When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it's something like
curl <some-url> | sudo apt-key add -?). So, this key must be pre-shared (you usually get it from the dev's website) and trusted.@gomp Yes but the point is that it comes from a different place and a different time, so for you to execute a compromised program, it would have to be compromised for a prolonged time without anyone else noticing. You are protected by the crowd. In curl|sh you are not protected from this at all