There are ways to secure the update process. For example, you can enable secure boot and store your secure boot keys encrypted (or on a smart card). Then (if a full chain of trust is implemented) to update your system, you’d need to enter the private key password (or insert the smart card), and a root-access executable couldn’t to that automatically.
I think it can in theory, but there will be some problems. But most likely Silverblue or something else would have its own problems trying to implement something like that - I don’t have any experience with them and don’t know how they’d compare.
There are ways to secure the update process. For example, you can enable secure boot and store your secure boot keys encrypted (or on a smart card). Then (if a full chain of trust is implemented) to update your system, you’d need to enter the private key password (or insert the smart card), and a root-access executable couldn’t to that automatically.
Yeah, but do other distros do this though? Not that I’m aware.
And surely the same could be done to NixOS, no?
I think it can in theory, but there will be some problems. But most likely Silverblue or something else would have its own problems trying to implement something like that - I don’t have any experience with them and don’t know how they’d compare.