I’m running qubes 4.0 on a Purism Librem 13 v4. I’ve installed updates for my templates without necessarily reading everything in the terminal before clicking “y”. How concerned should I be of having inadvertently installed an unsigned package? Is there a command i can run to check the signatures on all my installed packages? I should mention that I’m relatively new to linux and qubes. How common is the installation of unsigned packages in Fedora or Debian? Does the qubes team audit/review all template updates?
'Yiyi50' via qubes-users:
I'm running qubes 4.0 on a Purism Librem 13 v4. I've installed updates for my templates without necessarily reading everything in the terminal before clicking "y". How concerned should I be of having inadvertently installed an unsigned package? Is there a command i can run to check the signatures on all my installed packages? I should mention that I'm relatively new to linux and qubes. How common is the installation of unsigned packages in Fedora or Debian? Does the qubes team audit/review all template updates?
If you haven't gone out of your way to add repos to your templates, you
would be using the default repos, which require signed packages. Your
chances are basically nil. No-one from Qubes audits updates that are not
from Qubes (with the possible exception here or there for security
critical ones like Xen); that is up to the maintainers of packages in
each distribution (Fedora/Debian).