![](/static/66c60d9f/assets/icons/icon-96x96.png)
![](https://lemmy.deadca.de/api/v3/image_proxy?url=https%3A%2F%2Flemmy.ml%2Fpictrs%2Fimage%2Fq98XK4sKtw.png)
A matter of perspective I think. It’s a flaw in my opinion. Just downloading anything from anywhere sets one up for failure/malware.
Code Signing on its own is useless, I think. If there is no distribution structure or user-validated trustchain, of course. But then you don’t really need Code Signing, a simple hash is enough.
My personal preference are the distro repos, to a point where I even dislike additional package managers like pip, npm or cargo.
I’m sorry, I don’t think I can see the point you are making. Are you saying that one can get around the 3-5 people by using flatpaks, ro home directories and other mitigations?