tempaccount420 3 days ago

The alternative is to wait for the 10 different distros to all package your program and then update it once every blue moon.

2
sgarland 2 days ago

No, the alternative is to package it yourself and offer it with a signing key. If you make a .deb and .rpm, you’ve covered a large majority of end users.

1 reply
tempaccount420 2 days ago

That sounds worse than the status quo, a lot of developers use Arch Linux, NixOS, other uncommon (to non-devs) distros.

Why is signing key with .deb/.rpm better than `curl | sh` from a HTTPS link on a domain owned by the author? .deb/.rpm also contain arbitrary shell commands.

1 reply
sgarland 2 days ago

If the shell script happens to have key verification built in to it, then not much from the perspective of provenance verification, but that’s rare IME. Also, using the OS’s package manager means that you can trivially uninstall it.

Gud 2 days ago

Why do you use 10 different distros that only get updated once in a blue moon?

1 reply
dagw 2 days ago

I am not using 10 different OSs/distors, but across every potential user of my tool, it could very easily be 10+.