I’ve never had practical trouble downloading scripts and identifying the creators, because I use package managers. I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.
And of course, the GPG key solution seems to work well enough for coders.
I can’t imagine a general solution to Github workflows. I use Gitlab’s CI for LaTeX documents, but terraform code would obviously be better for other projects. I sounds like disparate solutions is a good idea.
Thanks! The RSS feeds are generated by Zola, the SSG i use (and contribute to sometimes).
I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.
I entirely agree! And i personally don’t think that distro packaging is dead (or should die), but i do believe there’s a crisis in the field: nix/guix certainly represent a far better model in a day and age where there are dozens of thousands of packages to maintain for many architectures.
The Debian/Fedora packaging system makes it more complex than it has to be to just push an update because most of the steps have to be done manually. Of course, i appreciate when some packages are maintained by trustworthy people inspecting the changelog, but no distro has the energy to do that for all packages…
I can’t imagine a general solution to Github workflows
Do you mean for CI/CD? I don’t understand why we need Github Actions at all. If only we could have a standardized protocol/vocabulary (like ForgeFed/ForgeFriends) to subscribe to updates across different forges, we could have pretty basic/standard tooling performing tasks as we like them.
Nice blog post, and always nice to see RSS feeds.
I’ve never had practical trouble downloading scripts and identifying the creators, because I use package managers. I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.
And of course, the GPG key solution seems to work well enough for coders.
I can’t imagine a general solution to Github workflows. I use Gitlab’s CI for LaTeX documents, but terraform code would obviously be better for other projects. I sounds like disparate solutions is a good idea.
Thanks! The RSS feeds are generated by Zola, the SSG i use (and contribute to sometimes).
I entirely agree! And i personally don’t think that distro packaging is dead (or should die), but i do believe there’s a crisis in the field: nix/guix certainly represent a far better model in a day and age where there are dozens of thousands of packages to maintain for many architectures.
The Debian/Fedora packaging system makes it more complex than it has to be to just push an update because most of the steps have to be done manually. Of course, i appreciate when some packages are maintained by trustworthy people inspecting the changelog, but no distro has the energy to do that for all packages…
Do you mean for CI/CD? I don’t understand why we need Github Actions at all. If only we could have a standardized protocol/vocabulary (like ForgeFed/ForgeFriends) to subscribe to updates across different forges, we could have pretty basic/standard tooling performing tasks as we like them.