> At least on ubuntu and centos I had no problem installing unsigned packages, no warnings, nothing, it's allowed by design. Try it yourself.
Manually, through yum localinstall or by referencing a local RPM or a manual rpm command, or an unsigned package in the remote repos? I've seen repos configured with signing keys have problems and the install command fails, so I assume you're referring to manually.
I think what you're seeing is that the package manager utilities (yum/dnf/apt/whatever) are all capable of verification, but are also happy to install things without verification in many cases. But if the RPM you downloaded is signed and RPM has had signatures loaded into it and there's a mismatch between what the rpm utility knows about and what the RPM you're installing is signed with, rpm will complain very loudly and fail (I have had to add --nosignature to rpm commands in some cases and import keys into rpm in others).
In addition to at the RPM level, the repos themselves often indicate a gpg key that packages are signed with, which the system package maintainers, which is what I was somewhat ambiguously referring to in my prior comment as package managers (in which I meant the managers of the system packages), will sign all packages they publish with so the integrity of updates and additional software they provide can be confirmed.
Given that, I'm not sure how you can maintain that the package management utils on systems do the same thing as piping arbitrary internet content to a bash prompt. I think you were just possibly a bit mistaken about what the package management utilities are really doing and enforcing with their signatures.
> It's called distro repo, package managers don't contain packages.
It's called the packages the OS provides. It's called many things. My terminology was somewhat ambiguous.
> This has nothing to do with security, you can trust your system to run malware correctly too, just like any system does it.
Sure it does. If you trust your system to run malware from the OS providers, then you don't have to care what other software you're downloading and running, you've already set your trust level of the system to "none".
If you do trust the OS provider (whether that by a Linux distro, MS for Windows or Apple for Mac OS) to not be malicious (and please, let's forestall any digression into privacy, we're talking about malicious intent not allowed by EULAs), then you should trust the other software they provide that's verifiably from them.
Manually, through yum localinstall or by referencing a local RPM or a manual rpm command, or an unsigned package in the remote repos? I've seen repos configured with signing keys have problems and the install command fails, so I assume you're referring to manually.
I think what you're seeing is that the package manager utilities (yum/dnf/apt/whatever) are all capable of verification, but are also happy to install things without verification in many cases. But if the RPM you downloaded is signed and RPM has had signatures loaded into it and there's a mismatch between what the rpm utility knows about and what the RPM you're installing is signed with, rpm will complain very loudly and fail (I have had to add --nosignature to rpm commands in some cases and import keys into rpm in others).
In addition to at the RPM level, the repos themselves often indicate a gpg key that packages are signed with, which the system package maintainers, which is what I was somewhat ambiguously referring to in my prior comment as package managers (in which I meant the managers of the system packages), will sign all packages they publish with so the integrity of updates and additional software they provide can be confirmed.
Given that, I'm not sure how you can maintain that the package management utils on systems do the same thing as piping arbitrary internet content to a bash prompt. I think you were just possibly a bit mistaken about what the package management utilities are really doing and enforcing with their signatures.
> It's called distro repo, package managers don't contain packages.
It's called the packages the OS provides. It's called many things. My terminology was somewhat ambiguous.
> This has nothing to do with security, you can trust your system to run malware correctly too, just like any system does it.
Sure it does. If you trust your system to run malware from the OS providers, then you don't have to care what other software you're downloading and running, you've already set your trust level of the system to "none".
If you do trust the OS provider (whether that by a Linux distro, MS for Windows or Apple for Mac OS) to not be malicious (and please, let's forestall any digression into privacy, we're talking about malicious intent not allowed by EULAs), then you should trust the other software they provide that's verifiably from them.