Security

Trust must be visible.

Pigeon Linux treats package signatures, reproducible metadata, repository integrity, and transparent incident reporting as core infrastructure.

SIGNED

Archive metadata

Release metadata is signed so APT can authenticate repository state before installing packages.

MONITORED

Pigeon Blackwatch

Repository artifacts are checked for checksum, metadata, policy, dependency, source, version, and signature failures.

ATOMIC

Safe publication

Repository generation is staged and validated before the live archive is changed.

Reporting a vulnerability

A dedicated security contact and encrypted reporting instructions will be published before the first stable release. Do not publish an unpatched vulnerability before maintainers have had a reasonable opportunity to investigate it.

Image verification

Official installation images will include SHA256 checksum files and detached OpenPGP signatures. Verification commands will be displayed beside every downloadable release.