Speaking of Debian, there’s even bigger news than a new Debian GNU/Hurd release – Debian 11.0 is out and about!
This release contains over 11,294 new packages for a total count of 59,551 packages, along with a significant reduction of over 9,519 packages which were marked as
obsoleteand removed. 42,821 packages were updated and 5,434 packages remained unchanged.
As always, Debian release are big, and they are hugely important as they serve as the base for some of the most popular Linux distributions out there.
The new releases might seem a bit slow by some, but it’s: slow & steady/stable. Definitely my preferred distribution for servers.
Seems I need to do some work to fix an issue I had with systemd in a one situation, because uninstalling systemd (thus installing sysvinit) in Debian on servers doesn’t seem to work anymore. I never spend time on it because I was busy with other things.
Lennie,
Ditto.
I also often have trouble with nvidia drivers if I don’t update the drivers before updating the kernel due to the unstable ABI, but that’s not really debian’s fault.
Devuan 4.0 then?
The fact their OS has to offer 59,551 packages is an admission of suckiness to be honest. In Desktop Linux land, everything has to go through the OS repos. For example, in Raspberry PI, even Kodi and Firefox has to be installed via the repos (and it is of course an obsolete version). That’s not good from a user-choice or sustainability perspective. And yes, you could install stuff from outside the repos, but you risk breaking things, hence the need for the OS to provide 59,551 packages of random apps through its own repos.
There was an article somewhere arguing that, from the perspective of the user (who is not interested in the source code and only uses the compiled product), Windows is more “open” because installing apps outside OS-sanctioned repos is the usual way of installing things, and those apps are always the latest version, while Desktop Linux is more like a walled garden.
And even if you want a walled garden full of everything FOSS has to offer, better go rolling release, that way you ‘ll at least get the latest versions of those FOSS apps.
Linux invented the “Walled garden” or was it the BSD ports system that came first ? Anyway with good reason at the time.
And I think one of the reasons for a Walled Garden is getting more and more relevant, to make sure the software is doing what it claims to do instead of being adware, malware and especially ransomware, etc.
It’s not easy finding trusted sources for software as we can see:
https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/
Lennie,
No doubt the repos have played a crucial role for safe software deployment on linux and others that embraced the same idea, but usually the term “walled garden” refers to an ecosystem that blocks the owner from sideloading, which is not the case for linux. You can use the repos and benefit from the safety of running verified binaries, but you are not forced to. IMHO this is what all operating systems should be doing.
Absolutely. Ironically windows puts more trust in signed malware than the owners themselves.
Yeah, I put the walled garden between quotes on purpose
I obviously meant the distro repo/bsd ports are similar concepts as the app store. But very different euh.. business models
The idea that source availability makes malware go away (as if there is a reviewer assigned for every line of code for those 59,551 packages, much less fully understand it), is false.
In fact, considering that most repositories don’t have any kind of identity checks (most people are known by their screen names only) and the fact unlikely they will ever be introduced as not to discourage contributions, repositories are the “next big target” for malware:
https://arstechnica.com/gadgets/2021/07/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code/
https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/
(the other “next big target” is browser extensions obv)
kurkosdr,
Bit of a strawman there.
That has absolutely nothing to do with what Lennie posted.
While malware can be hidden in source, investigating it is far more tractable with source and patch history than without. The source code doesn’t make malware go away just like that, but it does make it harder to hide. And you make it sound like the wild west where any rando can commit, but projects like debian have maintainers who are vetted.
https://wiki.debian.org/DebianMaintainer
The job is taken seriously and there’s a whole chain of trust that can be used to identify weaknesses and bad actors.
https://unix.stackexchange.com/questions/285635/how-is-the-authenticity-of-debian-packages-guaranteed
It doesn’t make malware impossible, but hopefully we agree that it’s better than downloading binaries from the internet.
I think you raise some reasonable points. One of the reasons I migrated from Debian to Arch was the easier creation of packages for my own custom repository of software that is not found in the main repositories or AUR. I use a lot of specialized scientific software, so this capability is very important to me. The peripheral advantages of rolling releases are nice too. I’ve not been caught by any problems in the time I’ve been using it (about six years now) on all my computers.
As for Windows being more open in terms of ecosystem, I have mixed feelings. There are still substantial barriers to entry for developing on Windows (their build systems are super fickle IMO). Also, as noted here, Windows is so open that malware has a much stronger impact on it than on the various Linux systems (for a variety of reasons).
All in all, it’s worth thinking carefully about how we design the whole computing system, including individual machines, users, developers, etc. I find the holistic picture in Linux-land to be nicer, but others have different opinions.
FortranMan,
Maybe I should take a closer look at Arch then. The centralized repos like Debian uses are fine when you want & need software from the repo, but managing software manually outside the repo can be ugly and far from ideal.
I’m not a fan of having a few global bin/lib directories and shoving everything into them. I really find the file organization counter productive at times. I prefer the hierarchy used by gobolinux, but for better or worse a lot of unix conventions are hard coded in many applications and trying to change it goes against the grain.
I’ve been quite pleased with my experience on Arch. What really got me to seriously consider switching was the quality of the wiki; I kept using the Arch wiki to try and fix broken things on Debian, and the logical choice eventually won over. Now I mostly just setup my systems and don’t need to tinker. Maybe I’m getting boring, or maybe the packages are usually fine without any of the poking that many distros do but Arch doesn’t.
As for the directory structure, I agree that we probably can’t go back now. There are options with virtual file systems and such which make programs see the standard layout when the reality is different, but those don’t really solve the problem. I think Haiku uses something like that. Gobo Linux has an interesting take, but I’m quite satisfied with Arch. The issue doesn’t come up when I’m actually using my computer, so maybe it’s just not very important?
What are you even going on about? You have the same options in Linux; you can install from source, you can install binaries for the distro, and you can just use the repos.
Flatpak and backports. That pretty much sums up how to keep your applications up to date. Also, with most things in software, do you need the latest version always? Sometimes there are regressions, or changes you don’t like, etc.
Also on Windows, unless the application has its own updater, you are only getting the latest at time of download (assuming you can find a homepage that is the correct one and don’t download it from some shady place that includes adware/malware on top of it) where on Debian and the like, you get updates through the package manager. Even Windows is adopting something similar with Winget… or whatever they are calling it this week.
Linux isn’t a Walled Garden at all, you can go to its provided package ‘store’ or can still buy from that taco stand outside. Just don’t blame anyone but yourself if you get food poisoning.