Hacker News new | comments | show | ask | jobs | submit login

It comes down to history, long term track record of reliability, and responsibility. The number of times that actual malicious software has made it into an official Debian apt repository is very, very low. The people who build the .deb packages and make them available (with appropriate GPG keys and hashes) keep things secure and are generally very trustworthy individuals.

https://wiki.debian.org/SecureApt

At a certain point it does come down to trust. From the position of a potential attacker, you can't just upload a randomly built thing to the official CentOS or Debian repositories and expect it to be made available to the rubes.

Very different than people downloading and trusting random Docker images.




> Very different than people downloading and trusting random Docker images.

I'd say there is a difference of using official Docker images (from the software vendor) vs images from a random person.

Official images exist for most popular packages, under a separate namespace and usually have checksums published etc.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: