Comment 7 for bug 1857410

If a user chooses to use a deb file to install software, Linux could prompt the user for the hash value. This would ensure the file didn’t get corrupted while downloading.

The attacker that embedded malware in Linux Mint, created a hash value for the malicious iso file. Verifying the hash would not have protected users.

There could be a database of hash values for non repository software. If a user downloads a deb file, linux could use the hash value from the database to verify the download is safe. If the downloaded software is not found in the database, a user could press a button to request the software and hash value be added. Linux security team developers could check the software and add the legitimate hash value to the database. This could help protect inexperienced Linux users.

A user could install non malicious software from the repository or a deb file, but malware could be delivered through software updates. Some software developers might not be trustworthy or they might get hacked. Malicious code might be obvious in open source software, but security flaws are like a back door and are more difficult to discover.