this post was submitted on 28 May 2024
59 points (90.4% liked)

Linux

48680 readers
406 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
59
submitted 6 months ago* (last edited 6 months ago) by [email protected] to c/[email protected]
 

I've been using arch for a while now and I always used Flatpaks for proprietary software that might do some creepy shit because Flatpaks are supposed to be sandboxed (e.g. Steam). And Flatpaks always worked flawlessly OOTB for me. AUR for things I trust. I've read on the internet how people prefer AUR over Flatpaks. Why? And how do y'all cope with waiting for all the AUR installed packages to rebuild after every update? Alacritty takes ages to build for me. Which is why I only update the AUR installed and built applications every 2 weeks.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 6 months ago* (last edited 6 months ago) (1 children)
[–] [email protected] 1 points 6 months ago (1 children)

The link you sent says that its an option that can be turned on or off. Also, that's for uploading. Doesn't say anytbify about verification of downloads.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

From the page:

It is recommended that OSTree repositories are verified using GPG whenever they are used. However, if you want to disable GPG verification, the --no-gpg-verify option can be used when a remote is added.

That is talking about downloading as well. Yes, you can turn it off, but so can you usually do it with native package managers, e.g. pacman: https://wiki.archlinux.org/title/Pacman/Package_signing

[–] [email protected] 1 points 6 months ago (1 children)

where does it say this applies to downloads too?

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

I'm confused why you think it would be anything else, and why you are so dead set on this. Repos include a signing key. There is an option to skip signature checking. And you think that signature checking is not used during downloads, despite this?

Ok, here are a few issues related to signatures being checked by default, when downloading: https://github.com/flatpak/flatpak/issues/4836 https://github.com/flatpak/flatpak/issues/5657 https://github.com/flatpak/flatpak/issues/3769 https://github.com/flatpak/flatpak/issues/5246 https://askubuntu.com/questions/1433512/flatpak-cant-check-signature-public-key-not-found https://stackoverflow.com/questions/70839691/flatpak-not-working-apparently-gpg-issue

Flatpak repos are signed and the signature is checked when downloading.

It's OK to be wrong. Dying on this hill seems pretty weird to me.

[–] [email protected] 1 points 6 months ago (1 children)

If its not documented, we shouldn't assume it has a security feature.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

You know what else we shouldn't assume? That that it doesn't have a security feature. And we additionally then shouldn't go around posting that incorrect assumption as if it were a fact. You know, like you did.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

Oh, we should absolutely assume that software does not have security features unless those features are clearly documented (and audited)...

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago)

Feel free to assume that, but don't claim an assumption as a fact.

You recommended using native package managers. How many of them have been audited?