> But thanks to the ports tree and the Porter's Handbook, it's easier to solve t...

feld · on June 17, 2015

And how can you trust those third party repos? That's the hard part. At least FreeBSD's way guarantees your packages are built from source code that matches the checksum of what upstream has released. If it doesn't match because of a compromise or upstream re-rolled their tarball it is discovered very, very quickly.

acdha · on June 17, 2015

All packages are signed using GPG and the source package definition include hashes of all of the dependencies so the only question of whether you trust a particular developer and you are required to add a GPG key before adding a repo. (The only thing which makes the distribution's repository special is that the distribution signing key ships as trusted in the base install.)

In many cases, the repos are maintained directly by the upstream project – see e.g. https://www.varnish-cache.org/installation/debian for what that process looks like.

In other cases, you have to decide whether you trust a particular developer. If not, you can choose to create your own version – which could be as simple as taking an source package, auditing it to whatever level you want, and signing it with your own trusted key.

Look, I ran servers using OpenBSD for years in the 90s and FreeBSD in the early 2000s. I respect the work which has gone into the ports system but the reason to use it is not security and advocacy based on limited understanding will not accomplish anything useful. If you want to praise ports, talk about how much easier it makes it to have the latest version of everything installed — and do your homework to be ready to explain how that's meaningfully better than e.g. a Debian user tracking the testing or unstable repositories.

feld · on June 19, 2015

It is meaningfully better. Try tracking the debian testing or unstable policies when the software you're trying to update is built against a newer version of a system library. Good luck fixing that. Now you have to update everything that also relies on that library. It's a rabbit hole that's not fun to go down. Even if they're GPG signed -- what does that prove? They could have modified the source when they built the package. At least with the ports tree you can easily verify the checksum of the source you're building with matches what upstream is releasing.

Furthermore, third party repos not by upstream or trusted OS developers is a nightmare. I regularly spend time trying to find trustworthy 3rd party repos to get newer versions of developer tools into RHEL 5/6. Sometimes it's just random RPMs on an FTP or rpmfind.net style sites. Not trustworthy at all. And sometimes I can't even build the package myself because the tool refuses to build because the rest of the OS is too old.

Long term release Linux distros make life hell.

alphapapa · on June 21, 2015

The way you said "Debian testing or unstable policies" suggests that you aren't very familiar with Debian (they are distributions or repositories, not policies). If the package you're updating is in testing or unstable, then its dependencies will also be updated as necessary. If other packages with the same dependencies won't work with the updated dependencies, then they will be updated as well, automatically. That is not always necessary; it depends on the library in question, whether the ABI changed, etc.

It sounds like you don't know how the Debian packaging system works regarding security. If you are installing from Debian repos (as opposed to third-party repos), then all binary packages go through the ftpmasters. The packages are checksummed, and the checksums are GPG-signed. Each package's maintainer or team handles building the binary from source. Of course, you can also download the source package yourself with a simple command, and then build it yourself. But if you don't trust the Debian maintainers to verify the integrity of the source packages they build, then you shouldn't be using Debian at all. This is no different than using a BSD. The ports tree could also be compromised.

Third-party repos are always a risk. That's one of the nice things about PPAs: their maintainers can use the same security mechanisms that the regular distro repos use, but with their own GPG keys. Again, if you don't trust the maintainer, I guess you should be building everything yourself. LFS gets old though, right?

And that's another good thing about Debian: almost anything you could want is already in Debian proper, so resorting to third-party repos or building manually is rarely necessary.

For long-term use, you can use testing or unstable or both, which are effectively rolling releases. There is also the backports repo for stable. And if you need to build a package yourself, between the Debian tools and checkinstall, it's not hard.

Debian and Ubuntu are the only distros I use, and for good reason. They solved most of these problems a long, long time ago. Compared to Windows or other Linux distros, it seems more like heaven than hell.

By the way, I'm no expert on BSDs--but do they even have any cryptographic signatures in the system at all, or is it just package checksums? Checksums by themselves don't prove anything; you need a way to sign the checksums to verify they haven't been altered. Relying on unsigned checksums is akin to security theater.