No, you seem to have missed my point. I'm only comparing them as distribution channels, not the workflow. If APT is compromised, it's as bad as if any distribution channel is compromised.
What's with the "You don't even seem to understand the difference between apt and debian"? I've used both for countless of years by now, pretty sure I have a solid understanding. If you have anything in particular that seems to be a misunderstanding, please point that out. (Edit: probably this is because I said "Publishing to APT", yeah? If so, yes, you would technically be correct, but I think most people understand what I mean)
> If you have any issue with how debian manages repo keys
I don't, and I don't think anything in my comment says so either. I'm simply pointing out that if we assume that the distribution channel is compromised, any distribution channel could help distribute malicious software, not just if you use "curl | bash" method.
Also, as a reminder from the site guidelines:
> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community. Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
> I'm simply pointing out that if we assume that the distribution channel is compromised, any distribution channel could help distribute malicious software, not just if you use "curl | bash" method.
And from that you conclude that all channels must be equal? That's a logical fallacy. There are trusted channels like the debian repos. Or maybe cargo, pypi, etc. And then there is this abomination.
This is like comparing a vaccination at your doctor's office to a needle found in the park (the needle looks respectable, of course) and stating "well, theoretically, my doctor could inject me poison as well, so it's probably ok to take this one here".
I love me some pypi, but it's hardly a trusted channel. There's no approval process for uploading, and there's very limited code inspection (until last fall there was none). There have been repeated examples of typo squatting malware which has been resident on pypi, which is why there are tons of security products designed specifically to allow you to use pypi safely.
> And from that you conclude that all channels must be equal? That's a logical fallacy. There are trusted channels like the debian repos. Or maybe cargo, pypi, etc. And then there is this abomination.
Are you asking me or telling me? As the rest of your message assumed that I already answered the question.
The curl | bash smells weird to me but I still do it from reputable enough sources since someone that doesn’t like it must be reviewing it.
That said, there’s ample evidence that the “enough eyeballs” stuff doesn’t work as well as we’d like in _any_ of these situations. If a sophisticated actor wanted to insert something malicious I’m not sure that one method is easier than the other.
