this post was submitted on 08 Jul 2023
237 points (94.1% liked)
Linux
48323 readers
712 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I never found out what's wrong with APT.
APT is best
APT is not good at managing dependency hell. This is a common problem for all package managers that don't typically bundle dependencies. You can get 30000 open source packages from trusted sources having a maintainer working on each to all share the same dependencies for an OS release. That's what Debian does. However it's a lot of work and that works increases significantly when you try to do it for a piece of software across OS releases.
Read - it's difficult for LibreOffice or Mozilla to ship a new version of their software that works on several Debian or Ubuntu releases. It's also difficult for maintainers to do that.
You could of course include dependencies in debs, but then you're increasing the security attack surface of the OS, because there's no sandbox around those bundled dependencies. Bundling dependencies requires sandboxing to be safe. Otherwise whenever there's a security hole in one library in package X, package X might patch it, but the same library might exist in another 50 packages on the system unpatched.
This is a solved problem. It was done in Android, iOS, BlackBerry 10 and probably others. All OSes that had to deal with more than 30000 packages, open source or proprietary, from trusted or untrusted sources. Bundle non-system dependencies and confine in a sandbox. Snap's been doing this ever since it was called Click. Flatpak didn't have the sandbox part for a while if I'm not mistaken. I'm not sure what its current sandbox state is.
There are other issues with APT/deb but managing dependencies without sandboxing is probably the most fundamental one since dependency management is one their fundamental purposes.
Aren't you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve...
Depends on your distro and what's available in the repo. With default repos you're more trusting the distro developer to vet packages.
I trust debian for that. It's been a while since I used Ubuntu so I don't remember how their repos are set up but the debian team is notoriously conservative with their repos.
The track record has been very good as far as i know with thousands of packages over the years so I doubt if there is a real problem to be solved here.
I do wish APT supported installing certain packages locally. Other than that, I'm more likely to use it than Snap/Flatpak/etc