@marcan Also the way PGP signed repositories work is often vulnerable to downgrade attacks. Especially if you get your packages from a mirror.