On Thu, Jul 1, 2021 at 1:27 PM Jeremy Stanley wrote:
There's nothing especially wrong about using signed-by, but
it's not the security fix some people seem to believe. In short,
*any* package you install can run arbitrary commands as the root
user on your system during installation. Only ever install packages
from sources you implicitly trust, since the people who control
those packages also essentially control your system.
For sophisticated users it isn't very hard to verify that packages
don't do anything malicious as root. `apt install --download-only`,
`dpkg-deb --raw-extract`, read the maintainer scripts and check which
files are installed into the package. Often running the installed
software as a separate user will be good enough isolation for the user
parts. For anything more isolated than that you probably want to use
containment solutions (such as QubesOS, or Flatpak or VMs), probably
generated from Debian binary packages for the security support and
other advantages provided.