Comment by isityettime
5 hours ago
Yeah with RPM and dpkg you're trusting the distro, or maybe individual distro maintainers, depending on how you consider it. But there are norms in the distro about what those scripts are for and how to use them, and there's some social enforcement around that.
The real issue for hooks in packaging formats like those is when you start adding third-party vendor repositories, e.g., Zoom, Google Chrome, Discord. None of the social enforcement mechanisms are there and the companies behind the products I just mentioned all have histories of abusing them.
That's why it's generally better to use Flatpak for things like that if your distro itself doesn't include them.
> Yeah with RPM and dpkg you're trusting the distro, or maybe individual distro maintainers, depending on how you consider it.
Not all packages come from the distro. People can and do enable external sources for software that isn't part of their OS.