@condret
> debian maintainers have the hybris to patch packages, because they believer they know better than the devs
And that is a good thing, because software developers often assume that you want new features when you only want security updates. Updating is fine and dandy until things start breaking as a result. Backporting security fixes if good, I wish it was still more common, sadly it isn't anymore.
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
That's what you should always be doing, not for Debian, but in general, end users should never report problems upstream, that's what they have their distro's maintainers for — if they decide that it's indeed a problem with software and not their build of it, they report it further upstream 🤷
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
"Hello, I'd like to report a problem: I have this binary that someone else has built for me and it does not work",— WTF is this shit? They won't even be able to tell you how to reproduce the problem even if they tried really hard: they simply don't know what flags the software was built with.
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
> distros should pack our stuff without modifications
No, just no! I probably won't be able to use half of the stuff I use with such an approach: systemd dependency, musl incompatibilities and so on — all of this has to be patched to work well with the distro's base system.
And there is nothing wrong with back-porting security patches — because I don't want those coming bundled with 5 new bugs or incompatibilities.
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
Free software devs are not "licensing out" their stuff — they shouldn't have control over how others use it, nor they should provide support for binaries built with modifications.
End user reports the issue to the package maintainer, who in turn checks if it's a problem with their modifications/configuration or an upstream bug, and acts accordingly — that is how it used to be and I don't see what was wrong with that.
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
Entrusting the upstream developer with security fixes is a horrible idea: you update the package to get a fix for the new exploit only to find out that UI has changed, or config file format — because it was a good idea that happened to coincide with the security fix, and now you have to waste time on fixing your configs — no, thank you! There are exceptions, but in general… Fuck this! It's like building on quicksand.
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
Don't get me wrong, I'm not defending Debian in particular, like I said, there are exceptions: there are online APIs, there are lazy package maintainers… But I still find the approach of following upstream's footsteps closely fundamentally flawed. For every lazy maintainer there is an out-of-his-mind developer. Remember that time when Element Web got broken in Firefox ESR?
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
And the justification was: there is this new serialiser in JS that I'd like to use, so you guys have to update FF — WTF?! 🤯
They have backtracked on it, but only because this case got a bad publicity.
Software indeed got stable, but feature creep got so much worse, and it's not about free software only — proprietary paid-for software became like that too!
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
"We've changed the APIs so you can no longer use older version of the client, but we've also revamped the UI and you have to learn using our software again — we've also removed a couple of features you might've used while we we're at it, tehe😊"
This being stuck in a permanent feature update loop is the single thing I absolutely loathe about modern tech. Instead of using the software you have to start servicing it.
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@condret
It gets so bad: you can buy a book on some technology/library/programming language published just 2 years ago and it's already part-irrelevant. If security updates would keep getting abused to push features, I expect people to stop updating and we get botnets again.
Providing updates for 2-3 major versions was a good practice — free software devs of course don't have the luxury to do it, but distros can and IMO should!
@Forestofenchantment @get @Suiseiseki @nyanide @sysrq @enigmatico
@get
Look, thread mute button — it's right there… or are you what they call a tsundere and just want attention? 😏
@Forestofenchantment @Suiseiseki @nyanide @sysrq @enigmatico @condret