For me, it’s not enough to verify the integrity of an ISO – I also have to verify its authenticity (or at least verify the checksum file) with GPG. I don’t know why, but just need to see that “Good signature” message before I feel safe installing Linux.

I notice, though, that the download pages of some prominent distros (Pop_OS!, openSUSE, etc) just give you a checksum, probably because they feel that anything else is unnecessary. This makes me shy away from installing them, which is a shame because I’d like to give some of those distros a try on bare metal.

Am I being paranoid when it comes to installing Linux?

  • moreeni@lemm.ee
    link
    fedilink
    arrow-up
    42
    arrow-down
    1
    ·
    1 year ago

    Somebody could’ve pushed malware in the code, write all software yourself.

      • OddFed@feddit.de
        link
        fedilink
        arrow-up
        31
        arrow-down
        1
        ·
        1 year ago

        Someone could have compromised the CPU interface, better build one from scratch.

        • russjr08@outpost.zeuslink.net
          link
          fedilink
          English
          arrow-up
          24
          arrow-down
          1
          ·
          1 year ago

          Someone could’ve compromised the materials used to build the CPU, better assemble the atoms together one by one.

          • Sidewayshighways@yall.theatl.social
            link
            fedilink
            English
            arrow-up
            22
            arrow-down
            1
            ·
            1 year ago

            Someone could’ve hidden something malicious in all that empty space between the atoms, better come up with a whole new structure of the universe

            • DarkenLM@kbin.social
              link
              fedilink
              arrow-up
              15
              ·
              1 year ago

              Someone could have hidden something malicious within your ideas, better create a whole new conceptual system.