Comment by lrvick

Yet most distros have maintainers build and sign their own package recipes and/or artifacts on their own random home workstations infected with who knows what so the trust is distributed (but not decentralized) which is the worst of all worlds. And that is for the ones that bother with maintainer signing at all, as distros like nix and alpine fully skip caring about bare minimum supply chain security.

Some distros do build on a centralized machine, but almost always one many maintainers have access to from their workstations, so once again any single compromised home computer backdoors everything.

The trust model of the linux distros that power most servers on the internet is totally yolo, without the funding to even approach doing build and release right, let alone code review. One compromised maintainer workstation burns it all to the ground.

Sorry if this ruins anyones rosy worldview. The internet is fragile as hell, and one bored teen away from another slammer-worm style meltdown.

Relevant context: I founded stagex exactly because no previous Linux distribution has a decentralized trust story appropriate for production use hosting public internet services.

Once you decentralize supply chain trust then the question of "which place and people people do we trust for the one holy server" totally goes away.

Once supply chain attacks enter your threat model, you suddenly realize that the entire internet breaks if any one of a few hundred volunteer owned home computers are compromised.

Fixing this requires universal reproducible builds redundantly built and signed by independently controlled hardware. Once you have that then you no longer have single points of failure so centralized high security colo cost becomes a moot issue.