zlacker

[parent] [thread] 4 comments
1. bluish+(OP)[view] [source] 2024-01-22 19:59:27
I would trust a build coming from the upstream project more than individual build efforts by people outside the upstream. It usually make it more more organized and do help people who wants a quick trial ( I wouldn't like having to build each thing I want to try). Also people keeping up with updates is a problem when you provide the builds. Imagine having to keep up with manually build 20 software/packages every couple of weeks.

Yes, we know it is mot requirement. But it is nice and convention to do.

replies(3): >>tetris+v2 >>orbliv+x2 >>Ferret+ms
2. tetris+v2[view] [source] 2024-01-22 20:10:29
>>bluish+(OP)
If it's reproducible binaries though, and all the various build hashes match, what's the issue?
replies(1): >>rezona+14
3. orbliv+x2[view] [source] 2024-01-22 20:10:41
>>bluish+(OP)
I prefer builds from repositories I trust. Lots of stuff happily makes it into the Debian repos. So I guess I'm kind of the opposite.
◧◩
4. rezona+14[view] [source] [discussion] 2024-01-22 20:17:49
>>tetris+v2
I think this sort of verification being available is exceedingly rare, especially for builds that statically link dependencies.
5. Ferret+ms[view] [source] 2024-01-22 22:22:07
>>bluish+(OP)
I hope you don't use a Linux distribution then. 99% of packages of 99% of distros are built by the distro (or a parent, e.g., using Debian repos) and not the upstream source. In fact, getting builds directly from upstream is the exception rather than the norm, usually used for more niche software that isn't shipped by distros (although it is getting more prevalent with Flatpak).
[go to top]