In short, it's like an induction problem; since the very first version of the tool did not check sigs, the chain of trust cannot be "bootstrapped". The problem has become inserting the fixed/trustable tool somewhere into the insecure sequence.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds