Hi, mostly i use REHL based distros like Centos/Rocky/Oracle for the solutions i develop but it seems its time to leave…
What good server/minimal distro you use ?
Will start to test Debian stable.
Hi, mostly i use REHL based distros like Centos/Rocky/Oracle for the solutions i develop but it seems its time to leave…
What good server/minimal distro you use ?
Will start to test Debian stable.
This is not correct. APT always verifies cryptographic signature unless you explicitly disable it. Yet it’s very important to understand who is signing packages. What kind of review process did the software go through? What kind of vetting did the package maintainer themselves go through?
If software is signed only by the upstream developer and no 3rd party review is done by a distribution this means trusting a stranger’s account on a software forge.
Update: the Debian infrastructure supports checking gpg signatures from upstream developers i.e. on the tarballs published on software forges.
You’ve misunderstood what I wrote.