On Sun, Mar 31, 2024 at 07:54:08PM +0200, Kevin Kofler via devel wrote: > Adam Williamson wrote: > > Maybe this needs to go on the growing pile of reasons why the > > traditional Linux model *does* need to go away. Maybe Fedora, with its > > foundation of First, should be kind of at the forefront of making that > > happen. > > Switching to a container-based model is just going to introduce more > different library versions (in the worst case, one per container) with a > higher probability that one of them is compromised. Our traditional distro model is not perfect — far from it — and we certainly try to improve it. But I agree with Kevin that in _this particular case_, the other models have smaller chances of catching the issue. Here the upstream was compromised, so 2FA, upstream signatures, and any other checks don't help at all. But in our "traditional model" we have one version of the dependency used for everbody, so there is a strong incentive to review and improve this one particular version. The packaging process is also very open: it is absolutely routine for people to change packagaging for packages owned by other maintainers. The newfangled models are much more about picking particular versions of dependencies and duplicating them in multiple projects. This makes some things easier, and makes things more independent, but I think it'd make the xz bug less likely to be caught. If sshd was packaged as a container or a flatpak, and I saw that it takes .8 instead of .1 seconds to log in, I certainly wouldn't spend the time to figure out why. I'd assume that the authors did something strange and move on to my own things. We talk a lot about the "new ways", but software must still come from somewhere, and the dependencies need to be maintained… Changing the delivery format is not going to magically makes this unnecessary. Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue