There was a time that I used Gentoo, and may again one day, but for the past N years, I’ve not had time to compile everything from source, and compiling from source is a false sense of security, since you still don’t know what’s been compromised (it could be the compiler, etc.), and few have the time or expertise to adequately review all of the code.
It can be a waste of energy and time to compile everything from source for standard hardware.
But, when I’m retired, maybe I’ll use it again just for the heck of it. And I’m glad that Gentoo exists.
At least when I used Gentoo, the point of compiling from source was more about customization than security. I remember having to set so many different options. It was quite granular. Now I just compile certain things from scratch and modify them as needed rather than having an entire system like Gentoo do that, but I do see the appeal to some people.
This is exactly why I use it where I use it - on my servers. I don’t need to compile X or X support for programs that could have it, because they’re headless.
I feel like most Gentoo folks probably moved over to Nix/NixOS.
The security argument for recompiling from source is addressed by the input addressed (sic) package cache. The customization aspect is mostly covered by Nix package overrides and overlays. You can also setup your own package cache.
I haven't. The Nix language makes no sense to me and there is still nothing akin to useflags. I don't want to override a bunch of packages just to make my system not pull in (e.g.) UI libraries.
Sibling comment aside, I could definitely picture it being a fairly narrow slice of folks who are ideologically motivated enough to choose a niche distro over Ubuntu, Debian, Fedora, or even Arch, but pragmatic enough to still prefer gentoo over Nix.
> I’ve not had time to compile everything from source,
Then use the official binary packages?
> and compiling from source is a false sense of security, since you still don’t know what’s been compromised (it could be the compiler, etc.), and few have the time or expertise to adequately review all of the code.
That would still leave you in a strictly better position, surely? Any other distro would pull the same code and build with compilers, so that attack surface exists regardless.
Granted, I wasn’t into Arch at the time, but in the mid-aughts, Gentoo’s forums were a massively useful resource for Linux knowledge in general. That’s why I used it, anyway. The joy of getting an obscure sound card (Chaintech AV-710) to work in Linux, and sharing that knowledge with others, was enough.
There was a time that I used Gentoo, and may again one day, but for the past N years, I’ve not had time to compile everything from source, and compiling from source is a false sense of security, since you still don’t know what’s been compromised (it could be the compiler, etc.), and few have the time or expertise to adequately review all of the code.
It can be a waste of energy and time to compile everything from source for standard hardware.
But, when I’m retired, maybe I’ll use it again just for the heck of it. And I’m glad that Gentoo exists.