It's singed by a key that's obtained from a URL owned by the same person. Sure, you can't attack devices already using the repo, but new installs are fair game.
And are URLs (w/ DNSSEC and TLS) really that easy to hijack?
> And are URLs (w/ DNSSEC and TLS) really that easy to hijack?
During the Google Domains-Squarespace transition, there was a vulnerability that enabled relatively simple domain takeovers. And once you control the DNS records, it's trivial to get Let's Encrypt to issue you a cert and adjust the DNSSEC records to match.
What is the difference between a random website or domain, and the package manager of a major distribution, in terms of security? Is it equally likely they get hijacked?
The issue is not the package manager being hijacked but the package. And the package is often outside the "major distribution" repository. That's why you use curl | bash in the first place.
Your question does not apply to the case discussed at all, and if we modify it to apply, the answer does not argue your point at all.
