On Mon, Jul 01, 2024 at 10:45:39AM -0400, Stefan Monnier wrote: > > As a general rule I am willing to accept RPMs, pacman ?? packages, and > > .debs, when they are from the Distribution's own package libraries, or > > hardware vendor supported, as otherwise I don't know the people providing > > the package. I have this strange belief that when a developer supplies > > a package to the Distribution owner for inclusion in their libraries, the > > Distribution owner does some level of verification/validation that the > > package plays nicely with the distribution and other applications. Maybe > > even some security checking? > > I'm with you, here. AFAIK Debian packaging does not in and of itself > come with any sort of "security checking", tho. So, if there are > security benefits (personally, I do believe there are) they are mostly > indirect result of the packaging process, e.g. in the presence of extra > eyes, or in the need to investigate the details of the licensing, or the > need to follow the rules about where files are placed, or in the > avoidance of vendoring, or in the "slow" pace of stable releases, ...
I think there is a bit more to it. Imagine now you have 30 flatpaks, everyone bringing in its own snowflake version of... uh... libxz [1], say, and suddenly there is a backdoor. Sixteen of the startups providing the flatpaks have gone bust or were bought up by $BIGCORP. Now, what. > For that same reason, I try to stay away from things like Snap/Flatpak > which seem to be a way to skip all that "process" and run effectively > black-boxes, thereby preventing you access to the usual transparency > benefits of Free Software. That would be my approach too. Of course, $VENDOR offering the thing as a .deb is no guarantee either. I know of one which comes with two complete copies of PostgreSQL server, because... why not. So I try to stick to distro-native packages as far as possible. But hey. Everyone's entitled to ruin their health howewer they like :) Cheers [1] Just a random example, of course. And the person who discovered that backdoor happens to be Debian maintainer, but hey. -- t
signature.asc
Description: PGP signature
