That's why we need to move away from walled gardens and help others understand it as well.

code signing and verification is useless when you think the danger is the software company, like Microsoft. It'll have the surveillance crap in the checksum anyway.
Microsoft scares me a lot more than any virus scammer.


SwearyDoctor

Software users must trust vendors despite security risks, with limited practical ways to verify software integrity
and security.

While some security measures exist (open source, reproducible builds, binary transparency), complete elimination of trust in software vendors remains impossible. Users must ultimately trust some combination of:

devs

# Core Problem

Software users must trust vendors despite security risks, with limited practical ways to verify software integrity 
and security.

# Key Verification Methods

- Code signing & package verification
- App store distribution & controls
- Binary transparency systems
- Source code review & reproducible builds

# Major Challenges

- Source review is impractical due to code volume and complexity
- Reproducible builds are technically difficult
- Supply chains involve multiple trust points
- Targeted attacks are hard to detect
- Verification tools themselves require trust

# Current Reality

While some security measures exist (open source, reproducible builds, binary transparency), complete elimination of trust in software vendors remains impossible. Users must ultimately trust some combination of:

- Software vendors
- Operating system providers
- App store operators
- Package managers
- Hardware manufacturers

Core ProblemCore Problem

Key Verification MethodsKey Verification Methods

Major ChallengesMajor Challenges

Current RealityCurrent Reality