Study: Attacks on package managers

> And why doesn't it inspire confidence?  The invalid signature protected
> you from a corrupt download (my guess is that these are usually truncated
> or partially transferred files).

It doesn't inspire confidence because I'm not a cryptography expert, nor do I desire to be
one.  As an end user, all I see is an error that I do not understand.  I don't know why the
signature is invalid and the error doesn't give me any guidance on what the significance is
nor how to correct it.  I know that signed packages and package lists are supposed to protect
me, which is why I sit up and take notice when I see the error.

The best that I've been able to do in this situation is to try the update again and hope the
error goes away.  Usually the error will not happen when I update the package list a second
time.  Occasionally, the error will persist no matter how many times I update and I just try
again later.  That is what happened with Ubuntu today. I ran the "check updates" from the
update manager five times over about 15 minutes and I continued to receive the same error.  If
I try the updates tomorrow, I expect that it will be fine.

It's using TCP, not UDP, to download the data.  Shouldn't TCP should ensure that I'm getting
the correct data?  I wouldn't expect for the transfer to be corrupt several times in a row.  I
could understand if I only saw this error once, but I see it often enough that I don't think a
corrupted download is the problem.  I also see it with Debian and Ubuntu, so it's not
something restricted to one distribution.