Arch have only recently adopted package signing to pacman, and while Gentoo have had package signing for some time (I understand), many package developers don't bother to sign their packages.
My questions are, for a desktop user like me who's only looking to learn more stuff about Linux and not fill my drive with countless programs:
- Is package signing that big of a deal if I only use packages that I know are signed?
- Don't pacman and portage allow one to see whether a package is signed?
- And what about dependencies? Won't it defeat the purpose of package signing if a package manager installs loads of unsigned dependencies?
- Won't every package have to be signed or none?