[newnewpdro]

It's only a matter of time before some major successful linux system attack is delivered via snap/flathub.

Distributions and their package maintainers serve an important role. In the interests of consuming more & faster people seem to be ignoring that.

I wish we had enough resources in the free softare community for all software to be packaged and maintained in the distributions by independent parties unaffiliated with the creators as a rule.

[badsectoracula]

In theory you can have the last bit with flatpack (and perhaps snap), the issue here is auditing what goes in the repositories, not the package format.

[newnewpdro]

Have you ever gone through the rigamarole of getting a project into a major distro like debian?

A bunch of the guidelines governing that process are simply unenforcable in a model where the developer builds and publishes the release.

I am not of the opinion that those rules are irrelevant to the stability and security of our systems.

There's a significant push to establish a more app-store model for linux distributions, taking the distributor largely out of the loop for software that isn't part of the base system.

This has both positive and negative consequences.

Today the negative consequences are largely hand-waved away with something along the lines of "containers will protect you".

[badsectoracula]

I do not really see the difference between the app-store model and the distribution repository model, at the end of the day both are models that teach the users to only download stuff from a specific place. This introduces gatekeeping middlemen that personally i'd rather do without. But if there is going to be a central """trusted""" place, i'd prefer it to be distribution agnostic.

(although even that isn't ideal since in practice it ends up with the major popular distributions pushing agendas to the smaller distributions through whatever requirements are there for "compatibility")

[newnewpdro]

It makes a substantial difference when we're talking about open software the distributor builds from source. The major distributors set a relatively high standard for the build process.

The same cannot be said for developers in my experience, who often don't even see a problem with the build process accessing the network - and frequently will publish releases built from the same host environment they use for their general daily computing.

From the perspective of a distributor, the packages should be perfectly buildable (and for official releases, preferably so) with a toolchain of known provenance in a clean environment without network connectivity.

The priorities are quite different for the developer of software and the distributor of systems incorporating that software. It's similar to the tension between system administrators and developers.