undefined | Better HN

0 pointsdeadbunny7y ago0 comments

If I need software not found in my upstream repos you have 3 options:

1. Packaged by the developer/publisher, see Virtualbox, Spotify, Chrome, Slack etc...

2. Packaged by a single 3rd party, see PPAs

3. A central 3rd party repo populated by anyone, NPM, AUR, pip, Snap/Flatpak etc..

Case 1: I have to trust the developer/publisher which is sensible, you're already trusting their code to run.

Case 2: I have to trust some random 3rd party, sometimes this is possible, sometimes not but if I do trust them I'm trusting them for one package (and maybe it's dependencies). I may have multiple options of who to trust to provide this package.

Case 3: Anyone can package anything if they get there first they can publish things however they like. The problem is that they are implicitly trusted by the repo, not me.

The first 2 are acts of active trust, I have to verify the person/company I'm downloading and make a decision whether I trust them or not. With a 3rd party central repo (it doesn't matter what format) I do not have that option, I either trust everything that anyone can publish to be correct or I don't use it.

0 comments

2 comments · 1 top-level

j6057y ago· 1 in thread

AUR, snap and flatpak all work differently. AUR is free for all with no trust implied or given but packages will be removed upon user intervention. So curation is basically done by users and other administrations but it doesn't prevent bad packages from being uploaded in the first place. Most of the AUR is building from source so you just have to read the build scripts (PKGBUILDs) of each package before installing and do what a maintainer does.

It gets easier on updates since you only have to check diffs between versions. I believe you are making a wrong decision if you trust anything on the AUR implicitly.

deadbunnyOP7y ago

> I believe you are making a wrong decision if you trust anything on the AUR implicitly.

That's basically my entire point.

j / k navigate · click thread line to collapse