no need to troll here.

And fascinating how predictibly this happens each time the interests of big tech companies are touched…

Are you disputing that much of tech is addictive by design?

By the way, secure open trust systems are hard. Around 2000, there was a FOSS web site called kuro5hin.org, a slashdot-sryle discussion board, which experimented with trust networks. As far as I remember, they did not find a good solution.

Wikipedia or stack overflow has the same issues.

I think a kind of real-life-based(!), signature-based web of trust like the GnuPG web of trust (but ideally with more user-friendly software…) could be part of the solution

You still can get cheap dump phones.

Regarding do this device:

1. Manufacturing a phone in small numbers is not cheap
2. If there were a way that you could have 50% more attention for your kids, yourself, and the people around you, how much would that be worth for you? How much is your attention worth?

It’s the derivates leeching the arch aur infrastructure and preinstalling aur helpers suggesting it’s safe to use as is.

So, Arch users do not depend on AUR? If so, that’s easy to fix. Just delete any mention of AUR from the Arch wiki.

Yeah you can go with Nix then.

But it is not by chance that Linux is based on Open Source hardeare support. The alternative is something like MacOS.

Nah, Guix is dead simple to use. I even trained my pet octopus to build Guix packages after it got bored with the underwater piano :)

Did you TeX 3.14159265359 ?

Don’t forget that all the Arch users are doing a good part of that testing, too. Arch is a boon to Linux in general.

I never said that GitHub was better.

It is arguably harder to take over a package from github or Codeberg.

You could also serve your PKGBUILD from a Gemini server (the Gemini small-web protocol, not the Google AI which is really easy to administer and secure), and sign it with a PGP key. That would be about as secure without depending on a huge US American company.

Using Linux is not a dick measuring contest (and man I hate these threads asking “why is your distro the best?” - it feels like trolling and sowing division and grief to me. A bit like asking a mother “What is your favorite child?”.)

But apart from that, I think we can all agree that security of AUR packages is no good enough, and that this deficit is by design.

Anyone can publish his PKGBUILD script on their codeberg or github page.

I didn’t knew that before either. I always installed to /usr/local .

Updated link to the Guix home page: https://guix.gnu.org/

Yeah, this lemmy webui seems to have a bug/race condition under Sailfish browser, leading to new posts being sent twice. I already removed the other post.

Some good advice on installing foreign packages to Debian, and how to keep it functional and secure. Much of it applies to other Linux distrbutions as well.

Most of your suggestions are probably a good idea for the future, but they are not really a solution for a potentially infected system right now.

The only solution for an infected system is to re-install it from scratch, because the integrity of the system is broken. And without any AUR packages, because they can’t be secured in the current form.

Yes! And everything is based on hashed source code - this guarantees long-term reproducibility, avoids vendor-lock-in with proprietary binaries and drivers (and that’s why some companies hate it), but above all makes much easier to inspect what is in a package.

I see job ads for using that for doctor’s diagnostic notes.

Ultimately, you need to build your own CPU

That’s what RISC V is for.

And yes, there exist FLOSS BIOSes.