>Getting maintainers out of the loop for auditing packages
Do maintainers commonly audit source code to look for vulnerabilities? And at any rate, aren't the common security-critical libraries for flatpaks, like OpenSSL, already (in theory) provided and maintained by the runtimes?
All the major consumer OSs distinguish between system components, like cryptographic services and graphics libraries, and user-facing applications. The world hasn't collapsed for them so far, and in an ideal world that distinction allows for better delegation of responsibilities.
It's definitely not so cut and dry - maintainers have actually managed to introduce vulnerabilities into software too. The famous Debian SSH key generation issue comes to mind.
This was in 2006. 2006. And people still have to dig back to then to make this point.
In 2006 the security landscape was very different. The common understanding of security being a tremendously subtle issue was much, much lower. A typical system from 2006 was much more trivially exploitable than one today. A lot of things can be said about security attitudes in 2006 vs now.
My experience when I worked on upstream open source software was that distribution package makers would routinely introduce subtle bugs into programs via the act of packaging. In fact on the project I worked on we stopped supporting users who didn't use our own upstream packages because the number of bugs introduced by downstream packagers was just so huge.
I can't see any real benefits to the Linux approach and never could. It's one of the reasons I ended up moving to macOS. There's hardly any malware there too and yet app developers build packages themselves.
Not always and not comprehensively, but they work alongside their users to tune packages as appropriate. It introduces a dispassionate 3rd party for users to report issues to who can fix problems which the upstream has an incentive not to fix.
>The world hasn't collapsed for [major OS vendors] so far
Hell yes it has. Malware and user-hostile is running rampant on the "major" platforms like Windows and macOS. Have you ever used a non-technical person's computer for a few minutes? It's like a warzone.
And yet people seem to prefer that warzone to the alternative that open source software offers. You can bury your head in the sand and claim that's only because of Microsoft fud campaigns, dirty business practices, advertising, or whatever, but you're wrong because even many people who know about and have experience with Linux choose that warzone.
Personally, I think that says a lot about the Linux desktop and its community.
> Have you ever used a non-technical person's computer for a few minutes? It's like a warzone.
I have used non-technical people's Windows machines, and they were not a warzone. I've looked over the shoulder of plenty of other people using Windows & Mac computers, and generally not seen any obvious signs of malware infestation. There could be unseen malware lurking, but we can't assume that with no evidence.
Maybe this depends on the non-technical people you know, but it's definitely possible for people to use Windows/Mac computers and not be dropped in a pit of malware.
Do maintainers commonly audit source code to look for vulnerabilities? And at any rate, aren't the common security-critical libraries for flatpaks, like OpenSSL, already (in theory) provided and maintained by the runtimes?
All the major consumer OSs distinguish between system components, like cryptographic services and graphics libraries, and user-facing applications. The world hasn't collapsed for them so far, and in an ideal world that distinction allows for better delegation of responsibilities.