> The concept of software distribution being a tar.gz.gpg or verifiable md5 file is obsolete. Behind the scenes something like apt-get does sign things but how to integrate its list of keys with the end user is a mystery, its essentially magic. Besides it provides no security due to lack of MITM attacks in practice.
The very first bootstrap is impossible to do securely in the general case short of building a computer from scratch, but you can do things that make it difficult to attack e.g. ask a bunch of different friends what the sha1sum of the latest debian release should be.
On the assumption that you manage to get a non-compromised version of debian installed you are secure even against MitM attacks; there's a chain of trust, every package has been signed by a key that has a key fingerprint claimed by a specific human maintainer, and new maintainers can only join after at least one maintainer has confirmed their identity against a government-issue document. Of course this doesn't make attacks impossible (e.g. rubber-hoses against one of the maintainers), but it makes the cost a lot higher.
Yeah. I fear the open-source side only ever catches up once something becomes commoditized, so the actual answer is probably that if you care enough you use a weird and slow phone built for this stuff (that Mozilla phone project?), you use whatever the current replacement ROM project is (I would hope one of Cyanogen et al would offer a carefully signed open-source build - I haven't actually looked), or you wait a few years.
Even if cyanogen was perfect, there's a closed source firmware running baseband processor with complete access to system memory, microphone, gps, and the network.
The very first bootstrap is impossible to do securely in the general case short of building a computer from scratch, but you can do things that make it difficult to attack e.g. ask a bunch of different friends what the sha1sum of the latest debian release should be.
On the assumption that you manage to get a non-compromised version of debian installed you are secure even against MitM attacks; there's a chain of trust, every package has been signed by a key that has a key fingerprint claimed by a specific human maintainer, and new maintainers can only join after at least one maintainer has confirmed their identity against a government-issue document. Of course this doesn't make attacks impossible (e.g. rubber-hoses against one of the maintainers), but it makes the cost a lot higher.