A popular dev culture these days is bult on always pulling in the latest library whenever possible. There can be good reasons to do that but new library code must still be reviewed. Or at least, confirm that the maintainers have been doing that, and still are. If you've even been through a code audit, it becomes crystal clear that dependencies are part of the profile. provides another layer of review. I use deps from Debian and review when updating packages, to share.

This just triggered a thought: the fact that a well resourced actor spent all this time on the focused on distros because they were not able to reliably hack into GNU/Linux in general, so they had to resort to this quite expensive campaign to get access again. Yes, this is speculation and yes I'm a fanboy. But there is a lot of good evidence that the free software distro model is quite good for providing secure setups. So take this news as good news 😄

Show thread

@eighthave Yeah, that occurred to me as soon as I read the first hot take on the "open source problem".

@eighthave Also, why do you look like a wax candle? Are you made of Vivoleum? 😉

@eighthave lock a version and risk going out of date, pull latest and break or pull something nasty.

Damned if you do damned if you don’t (not suggesting either way is better)

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml