> "Only download from here; if it doesn't have what you want, though luck".
It's not that doing otherwise is prohibited. It's that doing otherwise should get your hackles up.
Which is why it isn't this:
> this seems like an argument in favor of a walled garden.
There are no walls. It's just a garden. But you have to understand that if you leave the garden, you're on your own.
For software developers and IT professionals, that's fine. They have a professional knowledge of the reputation of the source or know how to read the code, or how to set up a virtual machine if they want to try it but don't trust it. And if an ordinary user who is rightly wary of doing that still wants to get the latest AI thing from github, they call up their friend the software developer or their company's IT department or pay a computer repair shop they trust to set it up for them.
But that should be rare, because anything which is both popular and safe should promptly get added to the package manager.
Agreed, not a "walled" garden but a garden. Essentially an app store.
So essentially if Windows had this, problem fixed?
Or put another way, if most users came to Linux and started downloading crap from everywhere, there would be incentive for malware authors to write it for Linux, bringing it to the current situation with Windows?
> So essentially if Windows had this, problem fixed?
The problem is that the nature of Windows isn't to have this. Linux package managers are run by the community. They basically include anything popular that meets the licensing requirements to allow them to redistribute it. Windows instead has a "store" that wants to extract a vig, but because most of the software people use on Windows is commercial, the vendors then avoid to store to avoid the vig and the default is to install things from random websites.
And even if they fixed that, people are used to doing it the other way, vendors have already spent the time to set up alternate distribution infrastructure and they don't trust Microsoft not to reverse course once a critical mass of things are using their system and they can increase the friction to installing things from outside of it and then turn the screws on anything inside it.
To make it work there you would need the distribution system to be run by multiple independent third parties so they'd have to compete with each other to keep distribution margins low. There probably is a market for a third party "store" for Windows that pays the 3% to the credit cards and then distributes the apps via P2P so they can charge no more than 5% to app developers, which the app developers might then actually use because they don't have to build their own system for payments and updates. But the stores want to charge 30% and then the developers don't want to use the stores.
> The problem is that the nature of Windows isn't to have this.
Interestingly, they're getting a version of it. The wingget command line package manager that windows ships with now has two sources, the MS store, and the winget community repo. The community repo is something anyone can submit to and it goes through some vetting process[1].
It's not quite the same though, as there are different considerations when using a repository of things a unified group has decided should be included and built (or slightly modified existing) packages for and a repo where anyone can submit a package that will go through some level of vetting. In the end I still believe most this discussion is really about individuals and how much trust they apply towards different groups and sources and is not really about Linux or Windows in particular as much.
The problem on Windows isn't exactly the lack of apt-get. It's the general problem of not making paid software distribution sufficiently fungible. Which is a cross-platform problem but manifests most on Windows because that's the platform where people use the most third party commercial software.
The Linux community "solves" this problem by directing commercial software vendors to the door and implementing anything they want as open source. But having something that works for this would help even there, for the cases where that hasn't worked, like AAA games.
Ironically the best way to solve this for proprietary software would be an open system. Have someone create a software distribution framework that uses open source code and federated P2P for distribution with pluggable payment processors. Make it an interoperable standard.
The idea is that it's a distribution system with no central distributor, a payments system which is independent of a payment processor. The vendor chooses which payment processors they want to accept (which might just be all of them), then the user chooses which ones they want to pay with, and if the vendor gets into a dispute with a payment processor their users automatically get diverted to a different one. If they get tired of their hosting provider they move to another one without the users ever noticing.
But then you need someone to develop it when its very purpose is to make sure nobody can extract high rents.
A coalition of mid-sized developers might be wise to pool their resources. Or, for that matter, get in with a bigger pool, because this is a problem that exists for subscription services and small businesses in general.
> But then you need someone to develop it when its very purpose is to make sure nobody can extract high rents.
It doesn't address a very important aspect of this which is trust, and that's most of the point of this discussion. People use repos usually because there's some level of trust in the repo maintainers. If anyone can push anything, then it's a liability to have that repo configured. If it requires careful vetting, then that costs money, and requires a central authority, which means it doesn't really matter whether it's P2P or not (except to lower cost), as it's centrally managed anyway.
Theoretically I could see a system like that in place where the "network" is all open and P2P and you just subscribe to sets of packages that have been "signed" by an authority you trust, but I'm not sure that the P2P portion is really all that useful then.
The whole reason the default repos in a linux Distro are things people feel safe running whatever they find in is because they know a group of people they trust has vetted it. If you're running Debian/Ubuntu/RHEL/Rocky/Windows/MacOS you've already trusted the maintainers of their default repos/etc by the nature of running their OS in the first place. People also often choose to trust large companies (Adobe, VMware, Google for Chrome in some cases) and/or well known groups/projects (Apache, ffmpeg, etc) when they distribute software separately, even it downloaded manually. Finally, people make ad-hoc choices about random less well known sites and people, and that's where random windows executable or Linux binaries, or installer scripts that are downloaded and run or piped to bash form curl happen.
All those levels of trust and those parties exist for every OS. Even Linux has it's fair share of third party downloaded applications people use, depending on what they use their system for. Some communities of people (e.g. developers) are much more comfortable with ad-hoc installation methods like curl|bash than others, and that's across OS boundaries. That's really what I meant way upthread when I said this isn't a Linux problem, it's a people problem.
Windows does have this, of course, so the question is, has security issues with windows decreased in line with the rise of users using the Windows Store to acquire packages, or is there just as much malware on the store?
(Genuine questions, I don't know the data, or even if the data exists outside of MS)
1) Download random shit from the internet at your own risk. If you're given a vast supply of safe software, and you choose not to use it, remember that you're a grown up and you should do what you like.
2) Nobody is objecting to walled gardens with no walls. Almost nobody, I should say; I've seen people tell Apple users that the fact that they are happy with the app store makes them bad in some way, but those people are shitheads. The reason to attack Apple is on behalf of their users, not some perverse brand nationalism.
If an Apple user can install whatever they want, and end their relationship with the Apple corporation at any time, that's winning. If the vast majority of Apple users decide that they value whatever contract (implicit or explicit) that Apple has made with them, and enjoy the relationship and the stewardship of the app store, that's a choice they're making as free people. And under the pressure of free people, the app store would have to improve anyway. I certainly have affection for what Debian does (and for everybody who wrote the software packaged in Debian.) Why shouldn't they feel that for Apple?
I misspoke, it's indeed a "garden", not a walled garden.
Linux users often rail against Apple's gardens, so it'd be dishonest to pretend otherwise. I should know! I've been a Linux user for 20 years now.
> If you're given a vast supply of safe software, and you choose not to use it, remember that you're a grown up and you should do what you like.
But lots of software in Linux isn't available in any repos. For example, games and stuff a typical mainstream user would expect. So Linux couldn't be turned into a "safe" mainstream OS unless it adopted a more diverse "app store", like macOS.
But this could very well be done by Windows, so it's not that one OS is "safe" or "safer" than the other. It's essentially a popularity thing.
> Download random shit from the internet at your own risk
And here we have it! Linux users "download random shit at their own risk" because they are not mainstream users; their needs are served by their distro's repo because their needs are different. If Linux was a mainstream OS, with the kinds of users that come with it, it would either have to turn into macOS or Windows. Either draconian measures (a single store where you can buy everything), or no measures at all (== malware).
Expecting people to "review the installer" is ridiculous.
Regular users on linux shouldn't be downloading software through their web-browser at all.
They should be adding a repository trusted with keys but so far UI/UX for it is horrible for regular users. Still better than... whatever the fuck windows is doing tho.
> Also, this seems like an argument in favor of a walled garden.
It is always entertaining to see HN's commentariat both rail against walled gardens by (for example) Apple or Android that are aimed at making life easier for regular people, while advocating them for Linux.
I strongly disagree. "Only download from here; if it doesn't have what you want, though luck".
Also, this seems like an argument in favor of a walled garden. If so, I suppose that would fix Windows.