upvote

points

by TealBLAHAJ6 days ago |
comments
upvoteby hsbauauvhabzb2 days ago|
[-]
Package management systems are scary before packages are abandoned too. Your production infrastructure is trusting some random developer/s to both do the right thing and not get hacked.

That’s not to say oss cannot be trusted, but it certainly makes trusting smaller projects and packages scary.

reply
upvoteby cozzyd2 days ago|
parent|
next
[-]
In principle "traditional" curated Linux distro package systems will patch stuff even if upstream is unresponsive.
reply
upvoteby hsbauauvhabzb2 days ago|
parent|
next
[-]
Sorry I should have clarified that I was referring to language based systems (cargo, pip, npm, etc). But you do raise a good point, it’s less about the concept of package management and more around the point of curation and central security guarantees / policies / procedures. In theory RHEL package management system could have similar problems to cargo or npm, but they are much better funded and thus managed.
reply
upvoteby ajross2 days ago|
parent|
prev|
[-]
In practice, not principle. Virtually every non-trivial upstream package in debian/fedora/arch/whatever has at least a handful of distro-specific patches. Sometimes they're just configuration, sometimes they're distro-maintained security fixes, etc...

But people exercise those features regularly and distros are not shy about maintaining software. It's a very different world from "We Just Ship What They Give Us" in npm/cargo/etc...

reply
upvoteby mook2 days ago|
parent|
prev|
next
[-]
There's plenty of open source things from Google and Microsoft that's been abandoned too; so you'd need to evaluate the project independently of the sponsor.

This doesn't apply to close source things because you wouldn't be able to use it in the first place.

reply
upvoteby BobbyTables22 days ago|
parent|
prev|
[-]
I really hate it when various packages expect users to add their custom repo. Especially for something where I don’t care about updates.

Feels like every little thing should be in its own docker container with limited filesystem access. Of course that is a whole lot of trouble…

The dependency trees in cargo/pip also greatly bother me.

VS Code extensions are also under appreciated. Some turd makes a “starter pack” for rust/python/etc with a great set of common extensions… plus a few that nobody has heard of… Over time, they reach 50k-100k downloads and start to appear legit… Excellent way to exfiltrate trade secrets!!!

reply