The AUR is explicitly covered in warnings telling you to vet everything yourself and that you could easily get pwned. Admittedly the process for taking over packages is too lax. The official linux repos are extremely good in general because they are subject to code review and more stringent requirements. Debian is moving to requiring signed packages which is good.
Software library management is different, and pointing to JS as an example of terrible computing practices is well, duh. JS is horrible and used by lowest common denominator people pushing slop out to make the web work worse. But library package managers are solving a different problem, not “how do we make computing safe and easy” which is the OS ones, but rather “how do we make development fast and avoid dependency conflicts”. The names are overlaps but the purpose is separate.
Shitty devs will get just as owned and own others by copying random unsafe code anyway, don’t use software written by shitty devs
The AUR is explicitly covered in warnings telling you to vet everything yourself and that you could easily get pwned.
Approximately 0 people saw those warnings. Ever. They all use some frontent like yay which will happily install whatever malware you ask it to
Software library management is different, and pointing to JS as an example of terrible computing practices is well, duh. JS is horrible and used by lowest common denominator people pushing slop out to make the web work worse. But library package managers are solving a different problem, not “how do we make computing safe and easy” which is the OS ones, but rather “how do we make development fast and avoid dependency conflicts”. The names are overlaps but the purpose is separate.
I don’t see how they are conceptually different. Sure, one of them has better quality control but we still get backdoors sneaking through into popular distros. OS package managers also have an effect on development. Devs rely on them to resolve a massive net of dependencies they create when the goal should be to reduce the number of dependencies
Shitty devs will get just as owned and own others by copying random unsafe code anyway, don’t use software written by shitty devs
What if the software was written by a great dev deliberately to own you? What if this dev was hired specifically to place a malicious line of code into do_some_basic_stuff.so library that everyone is using for some reason?
With a Linux distro package manager there is usually a single version of a dependency and the maintainers try to keep that secure.
With programming package managers each project has it’s own decency tree. With npm there can even be multiple versions of the same decency in the tree.
Yay is itself an unofficial piece of software with terrible security defaults such as not showing diffs by default. To install yay you go outside the official repositories, it is no more trustworthy than going to enthusiastsite.com and downloading some makewindowsawesome.exe
The AUR is still a better solution than everyone (mis)managing their own systems and never updating anything but it is not vetted, it’s in the bloody name what it is.
The rest is just social problems, if you’re not fit to audit code and have to rely on trusting maintainers why would you expect removing them would make it better. Look at windows for an indication of the ludicrous mess of out of date and vulnerable software or ransomeware etc that will happen.
The AUR is explicitly covered in warnings telling you to vet everything yourself and that you could easily get pwned. Admittedly the process for taking over packages is too lax. The official linux repos are extremely good in general because they are subject to code review and more stringent requirements. Debian is moving to requiring signed packages which is good.
Software library management is different, and pointing to JS as an example of terrible computing practices is well, duh. JS is horrible and used by lowest common denominator people pushing slop out to make the web work worse. But library package managers are solving a different problem, not “how do we make computing safe and easy” which is the OS ones, but rather “how do we make development fast and avoid dependency conflicts”. The names are overlaps but the purpose is separate.
Shitty devs will get just as owned and own others by copying random unsafe code anyway, don’t use software written by shitty devs
Approximately 0 people saw those warnings. Ever. They all use some frontent like
yaywhich will happily install whatever malware you ask it toI don’t see how they are conceptually different. Sure, one of them has better quality control but we still get backdoors sneaking through into popular distros. OS package managers also have an effect on development. Devs rely on them to resolve a massive net of dependencies they create when the goal should be to reduce the number of dependencies
What if the software was written by a great dev deliberately to own you? What if this dev was hired specifically to place a malicious line of code into do_some_basic_stuff.so library that everyone is using for some reason?
With a Linux distro package manager there is usually a single version of a dependency and the maintainers try to keep that secure.
With programming package managers each project has it’s own decency tree. With npm there can even be multiple versions of the same decency in the tree.
Yay is itself an unofficial piece of software with terrible security defaults such as not showing diffs by default. To install yay you go outside the official repositories, it is no more trustworthy than going to enthusiastsite.com and downloading some makewindowsawesome.exe
The AUR is still a better solution than everyone (mis)managing their own systems and never updating anything but it is not vetted, it’s in the bloody name what it is.
The rest is just social problems, if you’re not fit to audit code and have to rely on trusting maintainers why would you expect removing them would make it better. Look at windows for an indication of the ludicrous mess of out of date and vulnerable software or ransomeware etc that will happen.
Everyone knows the warnings, nobody does the reviewing. It’s a shit approach to community safety.