> Or you know developers could package their own software.
As a developer I can tell you right now that I'm not gone package everything for for 100s of linux distros that I don't even know the name of.
> It's some upfront effort but usually set and forget. Things like FPM[1] make this even easier. Personally I don't know why developers find packaging so hard, I've had to package hundreds of bit of software for different distros (and versions of said distro) over my career and it's usually set and forget with some changes when there are big underlying changes to the OS like sysv > systemd. Granted my experience is with non GUI apps so I can imagine there is likely some pain points between different distros/version when it comes to the hot mess that is DEs.
Have you ever thought about maybe that doing something a lot makes you good at it.
Many developers are not linux expert, and don't know the many difference between the distros and the package managers, or even the different distros using the same manager.
Saying its 'fire and ferget' when there are so many distors who are all moving targets with different targets, release cycles and so on, its just basically lying.
But that's not all, you also have to get bug reports from many different people that you can not reproduce.
> Because I have to go from trusting 1 vendor to install 1 package (and dependencies) to 1 3rd party repo that anyone can push to. That is a huge change in the trust model.
So the fact that some poor debian maintainer had to wrap the venders app with some debian specific glue makes it safer?
If you don't trust the vender of your software, you can trust that they maintain a repo where you can download it. That might be Flathub for some smaller once, but others will have their own.
There is not more trust involved at all, maybe you move trust from Debian to Flathub, but that's it.
> We already have those.
Not with the advantages of the maintainer only having to publish one software package.
> This isn't about trusting the software in the package it's about trusting the package maintainer, who could now be absolutely anyone with no verification or validation. See malware in other user run repos like NPM, pip, AUR etc...
It is already absolutely anybody. Do you know all the people who package for Debian?
Also, if don't want to use apps directly from Flathub, you don't have to. You can only use software that has been validated by the Flathub community, or when somebody like Fedora uses the app.
Forcing 1000s of man hours of voluntary work just so you can claim "Some guy lightly related to the X distro project has taken a couple hours to see if it doesn't crash" so that's what I'm gone base my security on is a insane approach.
That's a terrible, terrible security architecture and the only reason anybody is defending it is because that's who it used to be and that somehow makes it good.
As a developer I can tell you right now that I'm not gone package everything for for 100s of linux distros that I don't even know the name of.
> It's some upfront effort but usually set and forget. Things like FPM[1] make this even easier. Personally I don't know why developers find packaging so hard, I've had to package hundreds of bit of software for different distros (and versions of said distro) over my career and it's usually set and forget with some changes when there are big underlying changes to the OS like sysv > systemd. Granted my experience is with non GUI apps so I can imagine there is likely some pain points between different distros/version when it comes to the hot mess that is DEs.
Have you ever thought about maybe that doing something a lot makes you good at it.
Many developers are not linux expert, and don't know the many difference between the distros and the package managers, or even the different distros using the same manager.
Saying its 'fire and ferget' when there are so many distors who are all moving targets with different targets, release cycles and so on, its just basically lying.
But that's not all, you also have to get bug reports from many different people that you can not reproduce.
> Because I have to go from trusting 1 vendor to install 1 package (and dependencies) to 1 3rd party repo that anyone can push to. That is a huge change in the trust model.
So the fact that some poor debian maintainer had to wrap the venders app with some debian specific glue makes it safer?
If you don't trust the vender of your software, you can trust that they maintain a repo where you can download it. That might be Flathub for some smaller once, but others will have their own.
There is not more trust involved at all, maybe you move trust from Debian to Flathub, but that's it.
> We already have those.
Not with the advantages of the maintainer only having to publish one software package.
> This isn't about trusting the software in the package it's about trusting the package maintainer, who could now be absolutely anyone with no verification or validation. See malware in other user run repos like NPM, pip, AUR etc...
It is already absolutely anybody. Do you know all the people who package for Debian?
Also, if don't want to use apps directly from Flathub, you don't have to. You can only use software that has been validated by the Flathub community, or when somebody like Fedora uses the app.
Forcing 1000s of man hours of voluntary work just so you can claim "Some guy lightly related to the X distro project has taken a couple hours to see if it doesn't crash" so that's what I'm gone base my security on is a insane approach.
That's a terrible, terrible security architecture and the only reason anybody is defending it is because that's who it used to be and that somehow makes it good.