| ▲ | 0xDEAFBEAD 19 hours ago | |
My mental model is that requiring updates to be signed delivers a lot of security bang for your buck. Do you disagree? An attacker can still steal the private key, or identify a flaw in the signature checking code. It looks like there are a variety of other, more constrained attacks: https://theupdateframework.io/docs/security/#attacks-and-wea... But overall, it seems to me that you can make an attacker's life considerably more difficult, for a comparatively small effort. | ||
| ▲ | saghm 16 hours ago | parent [-] | |
I don't disagree with everything you said, but I don't see how "therefore, you don't need to worry about a critical update without a signature" follows. The reason that it provides a lot of value is specifically because it helps you notice things like what's going on now so you can avoid installing unsigned updates. | ||