Package: apt Version: 1.8.2 it would be good, if users of linux distributions generally use to check, at least time to time, whether they get same packages as all users get. that would be a factor to distribution owners and admins to be more afraid to serve malware only to some of users.
how it can be done? when "apt update" runs, i think, it downloads "release" and "packages" files. "release" file has hashes of several "packages" files of different cpu architectures, and each "packages" has hashes of packages. when "apt upgrade" runs, it probably calculates downloaded package's hash and checks it with hash in "packages" file. so, in order to serve a package with malware to a user, disrtribution/repository admins would have to also serve wrong "packages" and "release" files to him. so, if user checks the "release" file, that it is ok, enough, he can be sure that packages are also ok. he should download "release" file from several independent mirrors and compare them. if the version from mirror differs from version from distribution's server, then, if signature of the files is ok, it means that the distribution served him with wrong file. but debian's policy is not like this. see https://www.debian.org/mirror/ftpmirror.en.html : "The debian-security/ archives contain the security updates released by the Debian security team. While it sounds interesting to everyone, we do not recommend to our users to use mirrors to obtain security updates and instead ask them to directly download them from our distributed security.debian.org service. We recommend debian-security not be mirrored." why the policy is such? the problem this policy solves is that mirrors can keep themselves not updated for long time, thus keeping users vulnerable. i think there are alternative ways to solve this problem. release files includes date. apt could get release file from mirror and also from debian's own server, and check, whether there are new updates in debian's own server version, and how old, actually, is mirror version from new updates. this policy of recommending to use only one central repository is not very good. it looks like "Grand-mamma, what great arms you have got!" "That is the better to hug thee, my dear." in Little Red Riding Hood fairy tale ( https://en.wikisource.org/wiki/Little_Red_Riding_Hood ). it is like debian says "users, you must trust us". but debian is not as much trusted as a grandma for users. from point of view of users, debian may have to send malware to some users by government request. if to say about all distributions, there may be malicious distributions. all packages are published in source and binary forms, so, people can check them later and find some bugs, and thus, malicious and bad quality distribitions can be catched and thus trust to different distros can be formed. but advantages of publicity in order to be aware of spyware are lost, if all users generally do not check, whether they get the same files as all other users do, in that case, if admins only send malware to some users, while serving good packages to other users, that malware has high chance of being not catched. i think, package hashes should better be automatically checked with different independent hash mirrors.