Mert nem csak csomaglistát, de csomagokat is húzhat, amit a rendszer automatice telepíteni fog:
They also install Microsoft’s GPG key used to sign packages from that repository. This can potentially lead to a scenario where an update pulls a dependency from Microsoft’s repo and that package would be automatically trusted by the system.