|
|
|
|
|
|
by lrvick
791 days ago
|
|
|
I am, yes. Alpine is not full-source-bootstrapped, often imports and trusts external binaries blindly, has no signed commits, no signed reviews, no signed packages, and is not reproducible. It is one phished git account away from a major supply chain attack any day now. Alpine chooses low security for low contribution friction. It is the Wikipedia of Linux distros, which granted it a huge package repository fantastic for experimental use and reference, but it is not something sane to blindly trust the latest packages of in production. It is one of the reasons why I made stagex, which in most cases is a near drop-in replacement. https://codeberg.org/stagex/stagex |
|
|
EDIT: Also, stagex looks pretty compelling; I hope it catches on!