Comment by craftkiller

No it wasn't. The comment I replied to claimed:

> This is no different from installing a random package through a package manager

I replied "No it isn't" in response to that, so I was claiming that a package manager was different (in terms of security) from doing curl | sh.

My comment then went on to explain specific attacks (a mirror being compromised) which are solved by package managers / cryptographic signatures.

At no point did I ever claim package managers were immune to all attacks. A compromised build server, leaked keys, or the upstream program thats being packaged being malicious are all still possible.

Its very simple, my Arch Linux install is pointed at the MIT mirrors. What is stopping the Massachusetts Institute of Technology from replacing my next firefox update with a virus? Cryptographic signatures. They don't have an Arch Linux signing key. What would be stopping them if I installed firefox by doing curl | sh? Nothing.