alt Hacker NewsIf we were talking about any linux distribution before stagex, I would agree with you.
Stagex however expects at least one maintainer may at any time engage in reputation-ending dishonesty or simply they were threatened or coerced. This is why every single release is signed by a -quorum- of code reviewers and code reproducers that must all build locally and get identical hashes, so no single points of failure exist in our trust graph.
Our last release was signed by four geodistributed maintainers that all attest to having built the entire distribution from 180 bytes of machine code all the way up with the same hashes.
All of their keys being compromised at once gets beyond the pale.
While I appreciate all of the effort you put in this and respect that you trust this to be bulletproof I'm always going to be skeptical of silver bullets.
Your level of certainty is the thing that frightens me more than the confidence I have in the quality of your work.