Packages & signed repos
apt/dnf, GPG-signed repos, updates.
Software gets onto a Linux system through a package manager, which installs programs and, crucially, tracks their dependencies and updates. Debian/Ubuntu use apt (packages are .deb); RHEL/Fedora use dnf (packages are .rpm). The package manager is not just a convenience — it is a security boundary, because it fetches software from repositories and, done right, cryptographically verifies that what it installs really came from the trusted source and was not tampered with in transit.
# Debian/Ubuntu (apt) # RHEL/Fedora (dnf)$ sudo apt update $ sudo dnf check-update$ sudo apt upgrade $ sudo dnf upgrade$ sudo apt install nginx $ sudo dnf install nginx$ apt list --installed | wc -l $ dnf list installed | wc -l$ dpkg -S /usr/bin/ssh $ rpm -qf /usr/bin/ssh # which package owns a file?
Signed repositories: trusting your software supply
Repositories are signed with GPG keys, and the package manager verifies every package’s signature against the trusted keys before installing — so a package that was modified, or served by an impostor mirror, is rejected. This is the OS-level version of the supply-chain trust the CI/CD track covers: you install only what a trusted publisher signed. Adding a third-party repository means adding trust in its signing key, so do it deliberately and only for sources you actually trust.
Patching is a security control
Most real-world breaches exploit known vulnerabilities that a patch already existed for — so keeping packages updated is one of the highest-impact security activities there is, not mere housekeeping. Apply security updates promptly, and consider enabling automatic security updates (unattended-upgrades on Debian/Ubuntu, dnf-automatic on Fedora/RHEL) so critical fixes land without waiting for a human. An unpatched, internet-facing service is the single most common way hosts get compromised.
# turn on automatic security patching (Debian/Ubuntu)$ sudo apt install unattended-upgrades$ sudo dpkg-reconfigure -plow unattended-upgrades# check what would be upgraded and why:$ apt list --upgradable