Hacker News new | ask | show | jobs
by moron4hire 3773 days ago
Untrusted by whom? It's the same vendor whether it comes from their site or the package repository.

And maybe people include way too many dependencies in their projects if it's too much to manage manually. Also, installers are perfectly capable of managing dependencies.
1 comments
subway 3773 days ago
It's the same vendor whether it comes from their site or the package repository.

Prove it.

The package manager allows you to cryptographically verify the binary was inspected by somebody you trust (the package maintainers). While windows has added code-signing/verification capabilities, many installers are unsigned, and those which are signed don't have a useful trust anchor.

link
moron4hire 3773 days ago
Prove the repository maintainer doesn't blanket approve things because they are overwhelmed.
link
voltagex_ 3773 days ago
That's what the mailing list / debbugs are for. Each package has a maintainer(s) who are responsible for looking after the package creation and upload.

A new upload creates an audit trail that could be checked if needed.

link