Comment by 🐙 norayr

Re: "I've been using Linux for many years, mostly because it..."
In: s/Linux

ps, i am glad you are considering gentoo, but in terms of security, one still needs to be cautious: there are some packages (well recipes) marked with version 9999, that means they will download git versions of software.

i myself prepared ebuild for lagrange with version number 9999 which gets the git version.

git version from master or main is dangerous.

git version described by hash is probably better.

now in general, to the op i will say, package enters the distro, not only gentoo, usually as a recipe on how to build it: where to get what are the hashes of downloaded files, how to unpack, build, install, prepare package.

then many people look at those, depending on distribution.

and not only those involved in the creation of distro, anyone in the world can study the code which those package recipes build.

and lots of security researchers and black hat hackers too, do.

our main hope is that the problem will be found by good people, who will report it.

in generally using package repos, especially if you're on debian stable is very safe. the package travels long distance to reach stabe and is very likely fine.

in arch not so long road to rolling release and xz backdoor reached it.

and in generally installing from programming language package repos is not safe, we saw what happened several times, so sticking with os default package repos is much safer.

i

i think security is just one of the side effects of free software. but the main point is freedom.

alas it is much harder to comprehend than security or privacy. and many justify usage of iphones by 'security', however bizarre it sounds. (:

i also maintain lagrange and many other packages for official repos of one linux distro. the community is small, i was active, they know me for years, in general trust me, sometimes ignore me.

so the i provide the recipe and the source, and ci builds.

usually all package building pipelines forbid downloading code from internet at build time.

you must upload source and it will be pasefsd to the builder along with your patches, if any

🐙 norayr

Mar 22 · 9 months ago

Original Post

🌒 s/Linux

I've been using Linux for many years, mostly because it promises to be safe as open source. However, I still don't understand who is responsible for building the repository binaries and the hash sums that come with it: do maintainers build the binaries somewhere locally and then upload them to a repository with hash sums? or, do they just make a source code release, like new Git tag, then a shared OS image is built it and sign? If it's the first option, then my PC is a larger hole on the...

💬 ps · 4 comments · Mar 21 · 9 months ago