"Arch Linux Malware Incident: Malicious Commits Found in 1,579 Packages"
Ymm yea... see I knew there was a reason I have never been a fan of Arch.
I may be a laissez-faire proponent when it comes to free markets, but I'm not a laissez-faire proponent when it comes to my operating system.
There should be some amount of control over a distribution.
Arch, Ubuntu, and other distributions that aren't Debian/Trisquel/etc lack a proper safeguards in their package management departments.
Arch takes it one step further in that it pushes untested upgrades that undermine the stability of the system.
While Debian's approach (Debian stable) is very solid it's not perfect. There are packages that should receive upgrades and not just security updates that don't over the course of a releases life time.
The best approach? It's called a partial rolling release where most packages only receive security updates, but some packages receive upgrades AFTER being thoroughly tested.
What makes Debian's approach better? It's the care and attention paid to the details, both in taking on new package maintainers, and in the updates that get pushed.
Debian has policies that restrict who can create packages for its distribution and repository. It's not a free for all where anyone at all can submit a package. Packages are publicly maintained, everything is built from source (in core), and new package maintainers undergo a process. First you start as a contributing, submit a patch, and in time and after multiple developers sign off you end up a trusted package maintainer. It's not perfect, but it's a far better approach than the laissez-faire approach of many distributions.
Solid desktop distributions tend to be built off Debian with tweaks and selective backports.
Ymm yea... see I knew there was a reason I have never been a fan of Arch.
I may be a laissez-faire proponent when it comes to free markets, but I'm not a laissez-faire proponent when it comes to my operating system.
There should be some amount of control over a distribution.
Arch, Ubuntu, and other distributions that aren't Debian/Trisquel/etc lack a proper safeguards in their package management departments.
Arch takes it one step further in that it pushes untested upgrades that undermine the stability of the system.
While Debian's approach (Debian stable) is very solid it's not perfect. There are packages that should receive upgrades and not just security updates that don't over the course of a releases life time.
The best approach? It's called a partial rolling release where most packages only receive security updates, but some packages receive upgrades AFTER being thoroughly tested.
What makes Debian's approach better? It's the care and attention paid to the details, both in taking on new package maintainers, and in the updates that get pushed.
Debian has policies that restrict who can create packages for its distribution and repository. It's not a free for all where anyone at all can submit a package. Packages are publicly maintained, everything is built from source (in core), and new package maintainers undergo a process. First you start as a contributing, submit a patch, and in time and after multiple developers sign off you end up a trusted package maintainer. It's not perfect, but it's a far better approach than the laissez-faire approach of many distributions.
Solid desktop distributions tend to be built off Debian with tweaks and selective backports.
1
