You are right that the distribution as it provides binary code is a trust root. If you can’t trust them, you have nothing to stand on.
I had the impression that CachyOS suggests to use AUR packages - maybe I am wrong here?
And if CachyOS is (what I am just assuming) geared towards less technical users, can you really expect their average user to examine shell scripts from a forum post?
How do their users even know that the post and its author is legitimate? Are they supposed to check PGP keys?
You are right that the distribution as it provides binary code is a trust root. If you can’t trust them, you have nothing to stand on.
I had the impression that CachyOS suggests to use AUR packages - maybe I am wrong here?
And if CachyOS is (what I am just assuming) geared towards less technical users, can you really expect their average user to examine shell scripts from a forum post?
How do their users even know that the post and its author is legitimate? Are they supposed to check PGP keys?
You can call that paranoid but there is a reason why distributions use packkage signing, publish webs of trust, and why the Guix developers even worked hard to reduce the binary bootstrapping code for the distro down to 512 bytes - it is a consequence of the “trusting trust” problem posed by Ken Thompson that the more stuff is opaque, the more trust is needed.