← Back to context

Comment by m4rtink

2 hours ago

If DNF/RPM is used there will often be a separate distro maintainer that should ideally review any changes coming from the upstream before pulling them into the distribution.

Also not all maintainers always pull in the latest upstream changes, only rebasing to new stable release or when the new features or fixes are actually needed for the distro stack.

Definitely not bulletproof but still IMHO more robust than "Lets just spray latest code from upstream without any review directly to production with a firehose!" that seems to be the norm.

3 comments

m4rtink

Reply
isityettime  1 hour ago

Yeah with RPM and dpkg you're trusting the distro, or maybe individual distro maintainers, depending on how you consider it. But there are norms in the distro about what those scripts are for and how to use them, and there's some social enforcement around that.

The real issue for hooks in packaging formats like those is when you start adding third-party vendor repositories, e.g., Zoom, Google Chrome, Discord. None of the social enforcement mechanisms are there and the companies behind the products I just mentioned all have histories of abusing them.

That's why it's generally better to use Flatpak for things like that if your distro itself doesn't include them.

  • nailer  29 minutes ago

    > Yeah with RPM and dpkg you're trusting the distro, or maybe individual distro maintainers, depending on how you consider it.

    Not all packages come from the distro. People can and do enable external sources for software that isn't part of their OS.