For example, on macOS:
brew install --cask bitcoin-coreOr on Ubuntu:
snap install bitcoin-coreEtc.
In particular, what attack vectors might I be exposing myself to if I choose to install Bitcoin Core using a package manager?
Using Homebrew as an example:
- I presume that download hashes are checked in Homebrew?
- Are hash signatures checked?
- Does Homebrew have a mechanism that ensures that only a Bitcoin Core maintainer can update a package on Homebrew?
- Could I still be vulnerable to a malicious/compromised Homebrew maintainer who changes the download URL and hash?
- Are there any other similar issues or risks?
(N.B.: If the only "safe" method is to build from source or to download Bitcoin Core directly, it's fine to note this and why, but I ask that you please keep answers focused on any risks associated with using a package manager instead.)
Thanks!