Debian vs rpm updating
PGP has the “Web of Trust” concept, when a key is signed by someone else’s key, that in turn is signed by another key and so on.
It often makes possible to build a chain from an arbitrary key to someone’s key who you know and trust personally, thus verify the authenticity of the first key in a chain.
In fact, the current versions of yum (for enterprise distributions) and DNF (for community) combine several open source projects to provide their current functionality.
Initially, Red Hat used a package manager called RPM (Red Hat Package Manager), which is still in use today.
Only a few small files contained the instructions to create a binary (normally in a tarfile).
You would untar the files, read the readme, and as long as you had GCC or some other form of C compiler, you would then typically run a process would check your system for application dependencies.