undefined | Better HN

0 pointsdrran4y ago0 comments

Maintainers are not developers, they are users, so the developer cannot push unwelcome changes, such as ads, trackers, trojans, backdoors, keyloggers, etc. directly to users because the maintainer will refuse to accept that.

0 comments

AnIdiotOnTheNet4y ago

On the other hand, maintainers can and have inserted (accidentally or not) vulnerabilities in software, and ignore developer wishes (like "please stop distributing this ancient unmaintained software without this warning that says it is ancient and unmaintained"), which reflects poorly on the developer in the mind of the user.

I personally see no upside to shoving an unpaid third party between user and developer.

southerntofu4y ago

> I personally see no upside to shoving an unpaid third party between user and developer.

I think F-Droid is a good example of striking a balance between those two extreme models. Their existence enforces community vetting of apps as well as somewhat-reproducible thanks to their standardized build infra, which are two major wins.

I personally have much more trust in such schemes (such as guix/nix) because i don't necessarily trust all of the developers of apps i use not to get hacked, and i believe enabling one-click updates to every user of an app without review is a dangerous pattern for security.

goohle4y ago

> On the other hand, maintainers can and have inserted (accidentally or not) vulnerabilities in software,

Such maintainer will be kicked off from distribution.

> and ignore developer wishes (like "please stop distributing this ancient unmaintained software without this warning that says it is ancient and unmaintained")

Developer wishes are developer wishes. User wishes are more important. If package has a maintainer, then it IS maintained.

You can use any distribution developed by developers (do you know any?) if you dislike maintained distributions and share experience with us.

AnIdiotOnTheNet4y ago

> Such maintainer will be kicked off from distribution.

ORLY? What's Kurt Roeckx[0] up to these days? Oh right, he's the Debian Project secretary, despite famously crippling RNG in OpenSSL.

> Developer wishes are developer wishes. User wishes are more important.

You mean like the wish to get up to date software directly from the developer without waiting for some third-party middleman to get around to updating the repo?

> You can use any distribution developed by developers (do you know any?) if you dislike maintained distributions and share experience with us.

Such a beast doesn't seem to exist in the Linux world, so I just don't use Linux. Linux Desktop's abysmally low market share may or may not be related.

[0] To be fair to Kurt, he wasn't the only one who didn't see a problem removing those lines and he did ask around first. It is an understandable mistake and I don't mean to crucify him.

TingPing4y ago

> Such maintainer will be kicked off from distribution.

Debian did this, they said oops and moved on. Packagers suck as developers, they apply patches they don't fully understand to solve problems they don't understand on codebases they don't understand.

j / k navigate · click thread line to collapse

0 comments

AnIdiotOnTheNet4y ago

I personally see no upside to shoving an unpaid third party between user and developer.

southerntofu4y ago

> I personally see no upside to shoving an unpaid third party between user and developer.

goohle4y ago

> On the other hand, maintainers can and have inserted (accidentally or not) vulnerabilities in software,

Such maintainer will be kicked off from distribution.

> and ignore developer wishes (like "please stop distributing this ancient unmaintained software without this warning that says it is ancient and unmaintained")

Developer wishes are developer wishes. User wishes are more important. If package has a maintainer, then it IS maintained.

You can use any distribution developed by developers (do you know any?) if you dislike maintained distributions and share experience with us.

AnIdiotOnTheNet4y ago

> Such maintainer will be kicked off from distribution.

ORLY? What's Kurt Roeckx[0] up to these days? Oh right, he's the Debian Project secretary, despite famously crippling RNG in OpenSSL.

> Developer wishes are developer wishes. User wishes are more important.

You mean like the wish to get up to date software directly from the developer without waiting for some third-party middleman to get around to updating the repo?

> You can use any distribution developed by developers (do you know any?) if you dislike maintained distributions and share experience with us.

Such a beast doesn't seem to exist in the Linux world, so I just don't use Linux. Linux Desktop's abysmally low market share may or may not be related.

[0] To be fair to Kurt, he wasn't the only one who didn't see a problem removing those lines and he did ask around first. It is an understandable mistake and I don't mean to crucify him.

TingPing4y ago

> Such maintainer will be kicked off from distribution.

Debian did this, they said oops and moved on. Packagers suck as developers, they apply patches they don't fully understand to solve problems they don't understand on codebases they don't understand.

j / k navigate · click thread line to collapse