this post was submitted on 04 Jun 2024
272 points (98.9% liked)

Linux

47940 readers
1340 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] BananaTrifleViolin@lemmy.world 11 points 4 months ago* (last edited 4 months ago)

It kind of makes sense except the vast majority of software in all distros is not being packaged by the developers, its being packaged by volunteers in the relevant project. Most software is being used on trust that it is built off the original code and not interfered with.

Its very difficult for any distros to actually audit all the code of the software they are distributing. I imagine most time is spent making sure the packages work and don't conflict with each other.

The verified tick is good in flatpaks but the "hide anything not verified" seems a little over the top to me. A warning is good but most software is used under trust in Linux - if you're not building it yourself you don't know you're getting unadulterated software. And does this apply to all the shared libraries on flathub? Will thebwarn you if your software is using shared libraries that ate not verified?

And while Flatpak is a potential vector to a lot of machines if abused, it is also a sandboxed environment unlike the vast majority of software that comes from distros own repos.

Also given the nature of Flatpaks, any distros could host its own flatpaks but everyone seems to use flathub. If they're not going to take on the responsibility of maintaining flathub and its software then their probably needs to be some way of "verifying" packages not coming directly from the developers. Otherwise users may lose put on the benefits of a shared distros agnostic library of software.

I get why mint are doing this but i think its a bit of a false reassurance. Although from mints point of view they would be able to take direct responsibility for the software they distribute in their own repos (as much as you can in a warrentyless "use as your own risk" system)