Diacone Frost13d agoAnd then you find some page on the interweb with instruction to use arbitrary copr repo to install a "fixed" version of something.
pubkey is presented, you press yes (or use -y in the first place). done.
even if you verify the key, what's the point. you can't verify every build, you wouldn't be doing anything else.
💬 1 replies
Thread context
Root: cd9dd6de9fe7…
Replying to: 40e3ef0d5805…
Replies (1)
ChipTuner13d agoSigh. I know. Most people argue the trade offs. "Wouldn't you rather have software that's risky and poorly distributed than none at all?" Or something to that effect, maybe with less verbosity.
I still love the Obtainium model though. Like let me get the package from the maintainers github, website, ftp site etc. Albeit id prefer more verification... Some maintainers _do_ care about secure supply chains.
And even the repeatable build from source argument is a loss imo. My projects can take anywhere from 5-25 minutes to build from source with powerful processors.
0000 sats