• @federico3@lemmy.ml
    link
    fedilink
    52 years ago

    Excellent points. Many “alternatives” to traditional distributions like docker, flatpak and similar harm security and stability in the long term. Users need systems that receive security updates for years without having to break functionality.

    • m-p{3}
      link
      fedilink
      52 years ago

      There are some nice programs that I’d like to run but they’re exclusively distributed through Docker for now. Where does one learn the ropes to become a package maintainer?

      • dinomug
        link
        fedilink
        12 years ago

        Where does one learn the ropes to become a package maintainer?

        Mostly in the documentation section of your distro’s page. Also you can ask in the community.

  • @jokeyrhyme@lemmy.ml
    link
    fedilink
    -12 years ago

    I disagree somewhat, but I’ll make a distinction between libraries and directly-executed self-contained packages (e.g. apps, binaries, tools, etc)

    I agree with Drew DeVault when it comes to apps, even though I personally prefer to use flatpak as much as possible, and only use a distribution’s package for an app as a last resort

    However, I think it’s a mistake for any distribution’s own repository to include library packages that are more “officially” available elsewhere

    It is bonkers to me the effort that distributions waste by packaging up libraries from rubygems, npm, pypi, or elsewhere, especially since the distribution’s copy will inevitably take longer to get security fixes than upstream

    Not only that, but these distribution copies will be installed globally and can be found by that tooling if it happens to be installed, leading to all sorts of conflicts that new Node.js / Python / Ruby developers trip over time and time again

    • @pingveno@lemmy.ml
      link
      fedilink
      02 years ago

      The amount of duplication of effort also leads to many packages being lower quality than they could be. I remember when I did package maintenance for the AUR, I didn’t have much motivation to maintain a package that usually had a handful of users. But make that available on flatpak and I can justify spending more time because it benefits far more people.

      • poVoqOP
        link
        fedilink
        02 years ago

        I use AUR very rarely as it precisely does not have the trusted distribution maintainer part that the above article talks about (anyone can upload scripts to AUR), but isn’t the usual way to make a AUR script and then propose that to the Arch maintainers for inclusion in the main repositories at some point? That would surely result in much more potential users then a flatpack ever could (not that I consider number of users a very useful metric).

    • @remram@lemmy.ml
      link
      fedilink
      0
      edit-2
      2 years ago

      I don’t understand your recommendation. How could the distro package apps if they don’t package the libraries they depend on?

      • @jokeyrhyme@lemmy.ml
        link
        fedilink
        1
        edit-2
        2 years ago

        Bundle the needed libraries inside the app package, or otherwise prevent them from being globally visible to other apps, and not make it easy for users to directly install them

        • @remram@lemmy.ml
          link
          fedilink
          1
          edit-2
          2 years ago

          Those libraries “inside the app package” would still be versions picked by the distro, and would still “inevitably take longer to get security fixes than upstream” as you put it. In addition it would take more disk space by having multiple copies.

          Is there a single benefit to this?