[kwlug-disc] A little anti-Windows humour for the group

B.S. bs27975 at yahoo.ca
Mon Jan 12 19:33:43 EST 2015 

<various snips>
On 01/12/2015 02:10 PM, Paul Nijjar wrote:
> On Sun, Jan 11, 2015 at 06:31:41PM -0500, Chris Irwin wrote:
>> On 01/11/2015 12:17 PM, CrankyOldBugger wrote:
>>> I used to live in Download.com way back when, ...>>
>> Unfortunately, the only thing stopping this from happening on our
>> systems is popularity.
>
> I actually do not believe that the only thing stopping this from
> happening on our systems is popularity. I believe there are two things
> stopping this:

(and popularity is hard to judge, reasonable / not junky web sites 
probably being most of ours yardstick. Perhaps not accurate, in 
hindsight, measurements of popularity / non-nefariousness. )

>
> - Centralized, trusted repositories that come with standard mechanisms
>    for adding/removing programs. (For Windows, ninite.com helps a lot,
>    but it is not comprehensive.)
>
>> How many project pages have I gone to that said "Ubuntu users can
>> add SomeGuy99's PPA". Who knows what that's throwing in there.
>
> Yes, there is an element of trust, and there have been times when that
> trust has been abused. The Windows freeware ecosystem does not deserve
> that trust. The Ubuntu ecosystem (for the most part) does.

I suppose git et al (github?, others) has been regarded much as you 
describe ppa's. I have always assumed so - maybe I shouldn't be.

It has only recently occurred to me that perhaps I'm confusing ppa's 
(e.g. launchpad) with build services?

I guess I have assumed that someone creates a ppa, puts source files in 
there, and magic processes build the sources into exectables available 
for download. From what I have seen, those build services include 
various checks for nefariousness (not saying exhaustive) that must pass 
before a downloadable executable lands to be available. [e.g. Not 
unreasonable dependencies, replacement dependecies not contained within 
the 'tarball'.]

Have I confused build services and ppa's, and erroneously assumed some 
level of oversight that isn't there? (And are there some ppa sites 
(launchpad?) to trust more than others / flags to watch for?)

More information about the kwlug-disc mailing list