Hans-Christoph Steiner
A popular dev culture these days is bult on always pulling in the latest library #updates whenever possible. There can be good reasons to do that but new library code must still be reviewed. Or at least, confirm that the maintainers have been doing that, and still are. If you've even been through a code audit, it becomes crystal clear that dependencies are part of the #security profile. #Debian provides another layer of review. I use deps from Debian and review when updating packages, to share.
Apr 4, 2024 at 2:05pmWeb
Show threadHans-Christoph SteinerApr 4, 2024
This just triggered a thought: the fact that a well resourced actor spent all this time on the #xzbackdor focused on #GNULinux distros because they were not able to reliably hack into GNU/Linux in general, so they had to resort to this quite expensive campaign to get access again. Yes, this is speculation and yes I'm a #FreeSoftware fanboy. But there is a lot of good evidence that the free software distro model is quite good for providing secure setups. So take this news as good news 😄
Show threadDragonApr 4, 2024

@eighthave lock a version and risk going out of date, pull latest and break or pull something nasty.

Damned if you do damned if you don’t (not suggesting either way is better)