Debian bookworm live images now reproducible

Exactly!

I’ve said it many times and I’ll repeat it here - Debian will be one of the few Linux distros we have right now, that will still exist 100 years from now.

Yea, it’s not as modern in terms of versioning and risk compared to the likes of Arch, but that’s also a feature!

> Debian will be one of the few Linux distros we have right now, that will still exist 100 years from now.

It'd certainly be nice, but if you've ever seen an organisation unravel it can happen with startling speed. I think the naive estimate is if you pick something at random it is half-way through its lifespan; so there isn't much call yet to say Debian will make it to 100.

Indeed, it was sad when they ended the FreeBSD based Debian project due to a lack of interest.

I don't think traditional von Neumann architecture will even be around in 100 years, as energy demands drive more efficient designs for different classes of problems. =3

It's quite easy to run Debian unstable (sid) if you want a more risky approach to having the newest of every package.

Commonly these days you can also add specific repos for the things you want to be more on the edge. Then there are some tools one might install manually, at the moment I remember doing it with fzf.

I feel more safe using Arch, compared to Debian. Debian adds so much of their patches on top of original software, that the result is hardly resembles the original. Arch just ships original code almost always. And I trust much more to the original developers, than Debian maintainers.

> And I trust much more to the original developers, than Debian maintainers.

Then that's a good reason not to use Debian indeed. Whatever the distro you choose, you give your trust to its maintainers.

But that's also a feature: instead of trusting random code from the Internet, you can trust random code from the Internet that has been vetted by a group of maintainers you chose to trust. Which is a bit less random, I think?

> I think the naive estimate is if you pick something at random it is half-way through its lifespan; so there isn't much call yet to say Debian will make it to 100.

This doesn't strike me as a strong argument. That naive estimate (in whatever form[0]) is typically based on not knowing anything else about the process you're looking at. We have lots of information about Debian and similar projects, and you can update your estimate (in a Bayesian fashion) when you know this. Given that Ian Murdock started Debian 31 years ago I think more than 100 years is a very reasonable guess.

[0] see e.g. https://en.wikipedia.org/wiki/Lindy_effect

Debian standardized the vetting process for maintainers, validation environments, and shenanigans could be attributed to individual signatures rather quickly.

If you ever want a laugh, one should read what Canonical puts the kids though for the role. One could get a job flying a plane with less paperwork...

Authenticated signed packaging is often a slow process, and some people do prefer rapid out-of-band pip/npm/cargo/go until something goes sideways... and no one knows who was responsible (or which machine/user is compromised.)

Not really random, but understandably slow given the task of reaching "stable" OS release involves hundreds of projects... =3

Yeah I think that's what I was trying to say. With a distro, you get some kind of validation by maintainers. With unvetted package managers, you just get something from somewhere.

Arguably, there is already the continuous package deprecation process that often leads to unpopular projects getting culled in the next upgrade.

In a way, Flatpak/Snap/Docker was mitigations to support old programs on new systems, and old systems with updated software no longer compatible with the OS. Not an ideal solution, but a necessary one if folks also wanted to address the win/exe dominant long-term supported program versions.

If working with unpopular oddball stuff one notices the packages cycle out of the repositories rather regularly. =3

I don't trust in any validation by the maintainers. There's too much code even in small projects. Big projects are oceans of code. Maintainers maintain too much packages to be able to understand even a little bit of changes. So, no, I don't trust it. It would require a specialized team of engineers for every single project to analyze changes in new versions. It just does not happen.

Best they can do is to follow developer's instructions to build a binary artefact and upload it somewhere. May be codify those instructions into a (hopefully) repeatable script like PKGBUILD.

Yep, I do this for a few tools. Though apt-key deprecation still hasn’t been universally accepted, so that’s always a minor annoyance to deal with.

I appreciate the Lindy effect, but I'd be very cautious in applying it in just any domain. In particular IT, where new project continually spring up to dethrone others. Another 30 years for Debian seems reasonable, but I'd probably bet against another 100. A metaculus question for the longevity of projects like debian would be fascinating.

> In particular IT, where new project continually spring up to dethrone others.

The Lindy effect says nothing about popularity, which is how I translate your use of 'dethrone' here. It observes that something's duration of existence correlates with its chances for existence in the future.

> Best they can do is to follow developer's instructions to build a binary artefact and upload it somewhere. May be codify those instructions into a (hopefully) repeatable script like PKGBUILD.

I don't understand; isn't this exactly what maintainers do? They write a recipe (be it a PKGBUILD or something else) that builds (maybe after applying a few patches) a package that they then distribute.

Whether you use Arch or Debian, you trust that the maintainers don't inject malware into the binaries they ship. And you trust that the maintainers trust the packages they distribute. Most likely you don't personally check the PKGBUILD and the upstream project.

> In particular IT, where new project continually spring up to dethrone others

Yet, it's lasted 31 years, which is a pretty insane amount of time in tech. This on top of being kept up to date, good structure, really good contributions and advancements.

On the other hand, you look at centos, redhat, and oracle and their debacle. How much did they fragment that area.

And then we have Debian just chugging along.

No, they alter and modify the software as they see fit.

Here's one of the recent examples: https://www.reddit.com/r/debian/comments/1cv30gu/debian_keep...

And that's applied to a lot of packages. Sometimes it leads to frustrated users who directly come to frustrated developers who have no idea what they're talking about, because developers did not intend software to be patched and built this way. Sometimes this leads straight to vulnerabilities. Sometimes this leads to unstable software, for example when maintainer "knows better" which libraries the software should link to.

> Here's one of the recent examples: https://www.reddit.com/r/debian/comments/1cv30gu/debian_keep...

They used an official build option to not ship a feature by default, and have another package that does enable all features. If that's your best example of

> Debian adds so much of their patches on top of original software, that the result is hardly resembles the original.

then I'm inclined to conclude that Debian is way more vanilla than I thought.

In general, the apparent use-case and actual unintended impact on OS security must be clear. There is also always extreme suspicion regarding "security" widgets that touch the web browser, shell, or email programs. Normally, after something like CVE-2023-35866 is noted, a package maintainer may assume the project is a liability given the history.

If an application requires a 3 page BS explanation about how to use a footgun without self-inflicted pwning... it seems like bad design for a posix environment.

People that attempt an escalation of coercion with admins usually get a ban at minimum. Deception, threats, and abuse will not help in most cases if the maintainer is properly trained.

https://www.youtube.com/watch?v=lITBGjNEp08

Have a nice day, =3

Flatpak is also a great option for apps you might want to be more up-to-date than Debian provides in their package manager.

I love Debian, but this is a genuine deal that many people don't know about. It also compounds if you're on Ubuntu as sometimes Canonical adds their own patches too. If you're just using Debian as a base OS to serve your own software, it doesn't matter as much but still does somewhat. It's not unusual for Debian-specific patches to be applied by the package maintainers in order to fix build errors, mismatched dependencies, etc. Most of the time those patches are harmless, but sometimes they are not. There have been security vulnerabilities for example that only existed in the Debian-based package of software. No distro is perfect and I don't intend this as a criticism of Debian (as they have legitimate reasons for doing what they do), and no distro (not even Arch) ships everything without any patches, but in my years of experience I've bumped my head on this in Debian several times.

> There have been security vulnerabilities for example that only existed in the Debian-based package of software.

Any examples more recent than CVE-2008-0166?

Currently on mobile and going from memory, but I remember having to push out quick patches for something around 2020-ish or late 2010s? The tip of my tongue says it was a use-after-free vuln in a patch to openssl, but I can't remember with confidence. I'll see if I can find it once I get home.

Worth noting lest I give the wrong impression, I don't think security is a reason to avoid Debian. For me the hacked up kernels and old packages have been much more the pain points, though I mostly stopped doing that work a few years ago. As a regular user (unless you're compiling lots of software yourself) it's a non-issue

> No, they alter and modify the software as they see fit.

Well yeah, but you choose the maintainers that do it the way you prefer. In your care you say you like Arch better, because they "patch less" (if I understand your feeling).

Still they do exactly what you describe they should do: write a recipe, build it and ship a binary. You can even go with Gentoo if you want to build (and possibly patch) yourself, which I personally like.

> Here's one of the recent examples: [...]

Doesn't seem like it supports your point: the very first comment on that Reddit threads explains what they did: they split one package into two packages. Again, if you're not happy with the way the Debian maintainers do it, you can go with another distro. Doesn't change the fact that if you use a distro (as opposed to building your own from scratch), then you rely on maintainers.

In general, most responsibly reported CVE allow several weeks for the patch fixes to propagate into the ecosystems before public disclosure.

Once an OS is no longer actively supported, it will begin to accumulate known problems if the attack surface is large.

Thus, a legacy complex-monolith or Desktop host often rots quicker than a bag of avocados. =3