And this is the best-case scenario. Because once updates become opt-out it simply becomes an attack vector of another type.

If the updated code is not open source, you are trusting blindly that not some kind of different remote code execution just happened without you knowing it.

▲

franktankbank 5 hours ago | parent [-]

If you don't personally review every line then you are already trusting blindly.

▲

hyperpape 5 hours ago | parent [-]

As blind as my belief that Asia exists, because I haven't personally navigated there. Hell, I've used electricity (using it right now), but I couldn't do the experiments you need to do to get myself to an 1850s level of understanding of how it works, much less our current level.

I trust that Linux has a process. I do not believe it is perfect. But it gives me a better assurance than downloading random packages from PyPi (though I believe that the most recent release of any random package on PyPi is still more likely safe than not--it's just a numbers game).

	▲	franktankbank 5 hours ago \| parent [-]
		I get what you are saying but as you said, if you are already under attack you can't trust your own computer, you just hope that you aren't downloading another exploit/bogus update. Real software I imagine is not so easy to pwn so completely but I don't know.