Hi, mostly i use REHL based distros like Centos/Rocky/Oracle for the solutions i develop but it seems its time to leave…

What good server/minimal distro you use ?

Will start to test Debian stable.

  • federico3@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 years ago

    This is not correct. APT always verifies cryptographic signature unless you explicitly disable it. Yet it’s very important to understand who is signing packages. What kind of review process did the software go through? What kind of vetting did the package maintainer themselves go through?

    If software is signed only by the upstream developer and no 3rd party review is done by a distribution this means trusting a stranger’s account on a software forge.

    Update: the Debian infrastructure supports checking gpg signatures from upstream developers i.e. on the tarballs published on software forges.

    • ono@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 years ago

      This is not correct. APT always verifies cryptographic signature unless you explicitly disable it.

      You’ve misunderstood what I wrote.