undefined | Better HN

0 pointstester345y ago0 comments

>I have so many packages, they are free and safe. I've tried Windows recently, have to install software from the web. It is scary.

If you write it this way (without details) then how people can argue?

What's so scary? I think I'm using 99% of my software from an actual vendor sites and never felt that way. Also using things like virustotal.com.

0 comments

sergeykish5y ago

It was unexpected. But could you feel it without experiencing?

I've used open source OS for a decade. It has changed my mind. I've never downloaded software from site. I trust community, not vendors. I use just one non open source application (slack) and I do not trust them, I'd rather run it in a sandbox.

My system comes with a framework to download, build, install any package with just a few commands:

    $ yay -G foo
    $ cd foo
    $ makepkg -sei

I can inspect it and change it, and sometimes I do.

No other ecosystem comes close. Browser extensions and smartphone applications replicate some of it but

* it can be adware/spyware/malware

* it can change overnight, no one checks

* one gallery by popularity or by restriction

Even my closed source software comes from community maintained recipes, Windows finally got it with winget.

Oh, I know! Compare it with programming language package managers — gems, pip, cargo.

lodovic5y ago

This is actually one of the major annoyances for me in Linux. Each distro has its own package manager and set of packages. Yay, yum, apt, pacman, dpkg, portage, the list is near endless and as each package manager needs a reason to exist, each will try to be different. For simple use cases such as installing a package, this is fine. But for example, finding out how to search for available packages can take quite some time on a new distro.

And having all these different package managers require me to either have blind trust in a lot of different communities, or spend a lot of time comparing CRCs and reading code.

sergeykish5y ago

This stance actually annoys me. Should we ditch all but one and only web browser? desktop environment? file manager? database? terminal? language? There it starts and where it ends? And who decides what the true form is?

I do not like apt, dpkg, aptitude — interface is not good, output extremely verbose by default and it was slow. Its existence does not annoy me as I do not use it anymore. I use pacman, but this annoys you, what should I do? Abandon it and fill the web with grieve?

Maybe you have to work with different distributions, it should not be hard to create (or google) wrapper https://github.com/icy/pacapt

Separate communities is Linux power. We do not argue on a true form, we solve our needs.

tester34OP5y ago

Maybe I'm kinda skewed because I started with Windows, but I don't feel difference between downloading e.g Firefox on Windows and typing `apt-get install nginx` on Linux.

Maybe because it requires "huge shittons" of effort to try to controle the software, and yet, at the end of the day I still have to trust somebody (OS, Drivers, ISP, Firmware/Hardware, Govt)

MayeulC5y ago

I just don't expect every developer to be an expert at packaging their app. There's a thousand things to think of, and they might do an unreasonable hack just to get away with distribution.

If you get your packages from a single source, you mostly have to trust that source (lower attack surface), and can be assured they will meet a minimum quality level.

Example oopses from valve (but really, most vendors have theirs):

https://github.com/ValveSoftware/steam-for-linux/issues/3671

https://amonitoring.ru/article/steamclient-0day/

sergeykish5y ago

I've used Windows for 10 years prior that. Maybe the difference is not touching Windows for 10 years.

Sure, it is about trust. Browser addons and language packages pushed by authors, this results in leftpad, spyware. Distributions dissolves authors power, provides buffer, they pull new versions, walk it through stages, there are many eyes and build is (often) reproducible, stable distributions pull only critical updates. Overall effect would not be as dramatic.

https://tests.reproducible-builds.org/archlinux/archlinux.ht...

j / k navigate · click thread line to collapse

0 comments

sergeykish5y ago

It was unexpected. But could you feel it without experiencing?

My system comes with a framework to download, build, install any package with just a few commands:

    $ yay -G foo
    $ cd foo
    $ makepkg -sei

I can inspect it and change it, and sometimes I do.

No other ecosystem comes close. Browser extensions and smartphone applications replicate some of it but

* it can be adware/spyware/malware

* it can change overnight, no one checks

* one gallery by popularity or by restriction

Even my closed source software comes from community maintained recipes, Windows finally got it with winget.

Oh, I know! Compare it with programming language package managers — gems, pip, cargo.

lodovic5y ago

And having all these different package managers require me to either have blind trust in a lot of different communities, or spend a lot of time comparing CRCs and reading code.

sergeykish5y ago

Maybe you have to work with different distributions, it should not be hard to create (or google) wrapper https://github.com/icy/pacapt

Separate communities is Linux power. We do not argue on a true form, we solve our needs.

tester34OP5y ago

Maybe I'm kinda skewed because I started with Windows, but I don't feel difference between downloading e.g Firefox on Windows and typing `apt-get install nginx` on Linux.

Maybe because it requires "huge shittons" of effort to try to controle the software, and yet, at the end of the day I still have to trust somebody (OS, Drivers, ISP, Firmware/Hardware, Govt)

MayeulC5y ago

I just don't expect every developer to be an expert at packaging their app. There's a thousand things to think of, and they might do an unreasonable hack just to get away with distribution.

If you get your packages from a single source, you mostly have to trust that source (lower attack surface), and can be assured they will meet a minimum quality level.

Example oopses from valve (but really, most vendors have theirs):

https://github.com/ValveSoftware/steam-for-linux/issues/3671

https://amonitoring.ru/article/steamclient-0day/

sergeykish5y ago

I've used Windows for 10 years prior that. Maybe the difference is not touching Windows for 10 years.

https://tests.reproducible-builds.org/archlinux/archlinux.ht...

j / k navigate · click thread line to collapse