Follow-up to a post I made a while ago: those who use forks of forks/lesser-known distros: do you trust their update repos?
Posted by OrangeKitty21@reddit | linux | View on Reddit | 6 comments
Yet another reason I try to stay with “mainstream” Linux is because of the update repos some forks use. For me, putting all of your trust into a repository with little known about it, or its security, makes me feel uneasy. I feel that it is a security risk, mainly because you’re allowing arbitrary code to be downloaded and run on your machine. You might argue that since it’s open-source people are constantly auditing, which has some merit to it, but with these lesser known repos there are bound to be less people reviewing code, and more opportunities for bad actors. What do you think?
carl2187@reddit
Lots of supply chain attacks in the news recently. Very valid concern for sure.
I go with a "name brand" like Fedora, Debian, etc. Although most of us pull in 3rd party repos too, like rpm fusion. But yea, I always use a mainstream distro for this reason. At least if a supply chain attack occurs, it'll be quick to be spotted and fixed... in theory...
Business_Reindeer910@reddit
rpmfusion has a 20+ year trackrecord, so it's not equivalent to a lot of other third party repos.
natermer@reddit
This is correct. The amount of pain and suffering and anguish through various third party rpm projects went through to get to the point were they combined forces and eventually evolved into rpmfusion is very significant.
natermer@reddit
Linux distributions can roughly be divided up into two categories:
A) General purpose. These are Linux distributions designed to be do-anything, be-anything distributions. You can use them for desktops, web hosting, scientific computing, etc. The most "general" are going be things like Debian and Gentoo.
B) Special purpose. These are Linux distributions that are made for a special purpose or to do a specific thing. Like being a router OS, or being a OS just for hosting virtual machines.
I use and trust a lot of special purpose Linux distributions because I know other people use them and support them as well.
Like Home Assistant Operating System (HAOS), Proxmox, or OpenWRT. Because they are special purpose everybody more or less shares the same configs and use the same set of software. The amount of man hours that is required to support them and track security issues is a lot less then with something like Debian or Redhat Linux.
When it comes to general purpose Linux distributions... that is a huge under taking. But on the flip side is that because they are general purpose there isn't anything you can do with one that you can't about as easily do with the other.
Like if I use Arch Linux or Almalinux or Debian Linux... they all can do about the same thing. There really isn't that much difference in actual capabilities. Things like package managers and whatnot is really not that important in the greater scheme of things. They all are just about as capable as the other.
What you get with "lesser known" or smaller project distros is like slightly different default install.
Well... ok if you want a very specific default install or you really really hate systemd or really really love Nix package manager or something like that.. What really is the point? Unless you plan on participating in the Linux distro project itself as a hobby or something like that then the political or community aspect doesn't matter a whole lot either.
There is a lot of advantages to sticking with the bigger ones in that case.
Lower-Limit3695@reddit
The devil is often in the details. For ublue's bootable container images like Bazzite, Bluefin, and Aurora; they pull fedora images as they're released straight from their container repo and rebuild them with their custom changes on
As a result their images track very closely to upstream, often releasing updates within 24 hours of a new update to the upstream Fedora image.
kombiwombi@reddit
Struggling with this question a little. How is this not the same threat as considered for the original installation?