Follow up: How to write a Linux virus

I agree with you, and it's made clear what will happen. The lack of any useful way to decide on trust for that key, is a weakness in the one-click install.

So now, we have double-click installing programs into the system, and it's OK, because the stuff is signed, and warnings like entering a password to be root, and a general bside covering warning about trusting repositories is given.

OTOH, we have DE which seem willing to run arbitary code, without any precuations.