←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0s | source
Show context
jcmfernandes ◴[26 Mar 25 19:14 UTC] No.43485833[source]
Insane effort. This sounded like a pipe dream just a couple of years ago. Congrats to everyone involved, especially to those who drove the effort.
replies(1): >>43487674 #
Joel_Mckay ◴[26 Mar 25 21:39 UTC] No.43487674[source]
The Debian group is admirable, and have positively changed the standards for OS design several times. Reminds me I should donate to their coffee fund around tax time =3
replies(2): >>43489910 #>>43497816 #
alfiedotwtf ◴[27 Mar 25 02:45 UTC] No.43489910[source]
Exactly!

I’ve said it many times and I’ll repeat it here - Debian will be one of the few Linux distros we have right now, that will still exist 100 years from now.

Yea, it’s not as modern in terms of versioning and risk compared to the likes of Arch, but that’s also a feature!

replies(3): >>43490181 #>>43490648 #>>43491565 #
vbezhenar ◴[27 Mar 25 08:52 UTC] No.43491565[source]
I feel more safe using Arch, compared to Debian. Debian adds so much of their patches on top of original software, that the result is hardly resembles the original. Arch just ships original code almost always. And I trust much more to the original developers, than Debian maintainers.
replies(2): >>43491752 #>>43498222 #
palata ◴[27 Mar 25 09:31 UTC] No.43491752[source]
> And I trust much more to the original developers, than Debian maintainers.

Then that's a good reason not to use Debian indeed. Whatever the distro you choose, you give your trust to its maintainers.

But that's also a feature: instead of trusting random code from the Internet, you can trust random code from the Internet that has been vetted by a group of maintainers you chose to trust. Which is a bit less random, I think?

replies(2): >>43491959 #>>43492649 #
Joel_Mckay ◴[27 Mar 25 10:10 UTC] No.43491959[source]
Debian standardized the vetting process for maintainers, validation environments, and shenanigans could be attributed to individual signatures rather quickly.

If you ever want a laugh, one should read what Canonical puts the kids though for the role. One could get a job flying a plane with less paperwork...

Authenticated signed packaging is often a slow process, and some people do prefer rapid out-of-band pip/npm/cargo/go until something goes sideways... and no one knows who was responsible (or which machine/user is compromised.)

Not really random, but understandably slow given the task of reaching "stable" OS release involves hundreds of projects... =3

replies(1): >>43492028 #
1. palata ◴[27 Mar 25 10:22 UTC] No.43492028[source]
Yeah I think that's what I was trying to say. With a distro, you get some kind of validation by maintainers. With unvetted package managers, you just get something from somewhere.