Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]

To: tomas@tuxteam.de
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
From: Celejar <celejar@gmail.com>
Date: Thu, 4 Mar 2021 13:25:55 -0500
Message-id: <[🔎] 20210304132555.083d0d0ea46a8fc95dec24b5@gmail.com>
In-reply-to: <[🔎] 20210304180538.GA400@tuxteam.de>
References: <[🔎] 5ff0c57d-3d3c-1515-e062-81f800b7603c@holgerdanske.com> <[🔎] jwvzgzjoqj7.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] e13c73c0-3a66-5e66-98b8-421f71c2c812@holgerdanske.com> <[🔎] 20210304084357.GA13822@tuxteam.de> <[🔎] 20210304094113.7b811d99@jresid.jretrading.com> <[🔎] 20210304081045.d38964262381272097e7133b@gmail.com> <[🔎] 20210304131759.GA22779@tuxteam.de> <[🔎] 20210304092146.ba0b43e4725a5f2f9471a78f@gmail.com> <[🔎] 20210304151408.GH22779@tuxteam.de> <[🔎] 20210304111625.d72d240c9a62850d562e8037@gmail.com> <[🔎] 20210304180538.GA400@tuxteam.de>

On Thu, 4 Mar 2021 19:05:38 +0100
tomas@tuxteam.de wrote:

> On Thu, Mar 04, 2021 at 11:16:25AM -0500, Celejar wrote:

...

> > I know I can't avoid the risk
> > entirely, but this is one of the reasons I try hard to limit my use of
> > software to stuff in the repos. I understand it's no magic bullet
> > against this type of thing, but in my (not very informed) judgment, it's
> > less likely to happen to stuff that Debian is vetting. I.e., I'm hoping
> > that all those hoops that Debian makes packages jump through, which
> > prevent stuff I do want from entering the repos, will work here in my
> > favor ;)
> 
> That's my approach, too; but I realise that trust is, at the bottom,
> a social thing. Technology can only be a tool in this.
> 
> The "classical" distro way is becoming more and more difficult; for
> "monsters" like Chrome, the distribution can't vet everything, and as
> software becomes more and more entangled (with version dependencies
> on the newest micro-version), people resort more and more to docker
> images, flatpaks and what have you.

Indeed. Recent example: I wanted to learn Kotlin and try some simple
Android development. Neither IntelliJ IDEA nor Android Studio are in
the repos, so I had to install them from upstream's tarballs and hope
for the best. I suppose I could have been more principled and installed
them to VMs or containers - maybe I should still reconsider and do that.

Celejar

Reply to:

References:
- Re: PARTIAL DIAGNOSIS of Installation problems
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: PARTIAL DIAGNOSIS of Installation problems
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: PARTIAL DIAGNOSIS of Installation problems
  - From: David Christensen <dpchrist@holgerdanske.com>
- Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: <tomas@tuxteam.de>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: Joe <joe@jretrading.com>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: Celejar <celejar@gmail.com>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: <tomas@tuxteam.de>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: Celejar <celejar@gmail.com>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: tomas@tuxteam.de
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: Celejar <celejar@gmail.com>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: tomas@tuxteam.de

Prev by Date: Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
Next by Date: Re: Non-free firmware [was: Debian install Question]
Previous by thread: Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
Next by thread: Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
Index(es):
- Date
- Thread