[kwlug-disc] Xubuntu 22.04 to 24.04 Upgrade

Tue Oct 8 16:59:17 EDT 2024

This essay, "The modern packager's security nightmare", is from the point of view of a packager. The people who develop indie software projects often have a different experience with what the downstream packagers do to their packages, and the security and support problems these practices cause.

The developer of Xpra.org strongly recommends that you DO NOT use Debian or Ubuntu (etc) packages of Xpra, because those packages are buggy and insecure.
<https://github.com/Xpra-org/xpra/wiki/Distribution-Packages>

The problem is that debian has too many packages, and not enough packagers, so a lot of those specialized packages in the "long tail" are bitrotted untested junk. See above link for a lot more detail and supporting evidence.

In the build process for my Curv program, I originally tried to use distro packages for my dependencies, but I learned from user bug reports that I need to statically link most of my dependencies. Curv is not in Debian AFAIK, and what packages that do exist are bitrotted junk, which i don't advertise.

Doug.

On Tue, Oct 8, 2024, at 1:22 PM, Chris Frey wrote:
> On Tue, Oct 08, 2024 at 08:59:38AM -0400, Khalid Baheyeldin wrote:
>> And that is a sign of the wider trend of reverting back to static linking
>> and distribution of packages as monolithic blobs.
>> 
>> As if we (collectively) lost all the hard earned lessons that the UNIX
>> (then Linux) communities learned in the late 80s and early 90s about
>> shared objects (.so), dynamic linking and dependency management.
>
> After reading this article:
>
> 	https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/
>
> I realized that Go and Rust are still in the toy language development
> stage, despite the loudness of their fans claiming to be better.
> The ability to produce dynamic libraries and binaries and a stable
> ABI is a worthwhile task that they have not achieved yet.
>
> These missing features are causing Rust all kinds of headaches in trying
> to integrate with the Linux kernel, as they hit roadblocks caused by
> an immature popular language (Rust) marrying the MOST mature
> popular language (C).
>
> The list of Rust features too unstable for the kernel just yet:
>
> 	https://github.com/Rust-for-Linux/linux/issues/2
>
> Basically, the usual "rewrite it from scratch" problems that every new
> project goes through, from early days Gentoo not signing packages, to
> early days pip not doing it either.  They leave the hard stuff til last. :-)
> Admittedly, even Debian didn't implement package signing until a
> number of releases in, as I recall, but Debian sure is mature now.
>
> - Chris
>
>
> _______________________________________________
> kwlug-disc mailing list
> To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
> with the subject "unsubscribe", or email
> kwlug-disc-owner at kwlug.org to contact a human being.