Hacker News new | past | comments | ask | show | jobs | submit login

> Linux package managers are looking like one of the only straightforward ways to distribute applications securely.

Linux distributions package what is released upstream. If upstream is compromised, so is the Linux package.

Generally, Linux package maintainers grab the upstream source, while most of these compromises seem to be of the binaries. And, of course, the maintainers generally review the changes before publishing them

No, Linux distributions offer packages and operating systems that are the result of painstaking work in which all upstream code is reviewed, patched for any inconsistency, and often blocked from going into public archives until known bugs are fixed.

That's... optimistic.

That's how OpenSUSE works. Debian too AFAIK.

It's the aspirational ideal behind how these projects work.

Actually, most have scripts that pull the upstream source and build new binaries without any manual intervention. It is the responsibility of the package maintainer to review every change in code.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact