undefined | Better HN

0 pointshalJordan2y ago0 comments

I know open source projects that update their code every 30 days. Unless you're continuously and permanently monitoring every patch of every library then this isn't true.

0 comments

the_third_wave2y ago

Run the Debian Stable version and you're spared such churn. The version you're running may lag the current one by a few points but that is a small price to pay for relative stability (as in 'know your daemons'). Security fixes are backported but new functionality is not. While not a perfect guarantee - remember the weak key debacle - this strategy does provide a stable baseline which, in contrast to proprietary software [1], can be audited for telemetry/data leaks/etc.

[12] yes, yes, yes, it is possible to run that proprietary tool through Ghidra (et al) to look for nasties as well but this is far harder, you don't just run a diff between two binaries.

cute_boi2y ago

but you can compile it and disable all those stuff with patch. With close source, we have to wait for 60 days, find the ip and block etc..?

Dealing with opensource project is way easy tbh.

j / k navigate · click thread line to collapse

0 comments

the_third_wave2y ago

[12] yes, yes, yes, it is possible to run that proprietary tool through Ghidra (et al) to look for nasties as well but this is far harder, you don't just run a diff between two binaries.

cute_boi2y ago

but you can compile it and disable all those stuff with patch. With close source, we have to wait for 60 days, find the ip and block etc..?

Dealing with opensource project is way easy tbh.

j / k navigate · click thread line to collapse