http://appimage.org/ For all the time I have used Linux there has been something like appimage to make Distribution neutral packages by doing what you do on OS X, Windows and Android of bundling up all the dependencies your application users.
What is going on is not like you have described Matthew Garrett.
Reality lots upstream projects don't make linux binaries so then palm the problem of making binaries on to Distribution maintainers and end users. Yes just because upstream version releases a new X version does not mean it will in fact build without errors. Lots of up-streams don't have build servers or test-suite solutions testing every update. So upstream suffer from a lot more regression errors than they should so this is pushed down on to distributions to design plans to deal with.
Even worse a lot of upstream instead of fixing coding bugs just alter gcc flags until the program builds anyhow.
1) Upstreams need to get serous about releasing binaries users can directly install if they want to protect reputation. All the tools todo this exist yet upstream don't for Linux. 2) Upstreams need to get serous about in fact running testing frameworks. 3) Hosting companies of Upstreams need to take some role in mandating that they only host project that are undertake quality control processes like build servers and test suites and code auditing tools. 4) Distributions do need to make it clearer to end users what they have modified.
XScreenSaver is a super bad example because X11 can never do screen locking properly because its not designed to. The screen locking issue with X11 is why we need KMS locking. Think about it screen is locked yet you can cntrl-alt f1 log into terminal kill Xscreensaver and unlock the screen. Yes killing the screen locker without unlocking should be terminate session not result in logged in. Yes OOM killer of the Linux kernel can also unlock a locked session if you are using XScreenSaver solution.
So 5 is we need to serous-ally start looking at graphical security.
There's a perfectly reasonable argument that all packages distributed by Debian are modified in some way In fact this is not true as some of the maintainers of debian packages are the upstream developers themselves. So modified in some way excuse does not really fly. The question is why is Debian and other distributions having to build applications from source in the first place and cannot get by wrapping the upstream made package. Wait there is no upstream made binary packages in most case for Distributions to consider just wrapping.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
I am sick of upstream application makers saying they don't have control.
Date: 2016-04-06 03:42 am (UTC)For all the time I have used Linux there has been something like appimage to make Distribution neutral packages by doing what you do on OS X, Windows and Android of bundling up all the dependencies your application users.
What is going on is not like you have described Matthew Garrett.
Reality lots upstream projects don't make linux binaries so then palm the problem of making binaries on to Distribution maintainers and end users. Yes just because upstream version releases a new X version does not mean it will in fact build without errors. Lots of up-streams don't have build servers or test-suite solutions testing every update. So upstream suffer from a lot more regression errors than they should so this is pushed down on to distributions to design plans to deal with.
Even worse a lot of upstream instead of fixing coding bugs just alter gcc flags until the program builds anyhow.
1) Upstreams need to get serous about releasing binaries users can directly install if they want to protect reputation. All the tools todo this exist yet upstream don't for Linux.
2) Upstreams need to get serous about in fact running testing frameworks.
3) Hosting companies of Upstreams need to take some role in mandating that they only host project that are undertake quality control processes like build servers and test suites and code auditing tools.
4) Distributions do need to make it clearer to end users what they have modified.
XScreenSaver is a super bad example because X11 can never do screen locking properly because its not designed to. The screen locking issue with X11 is why we need KMS locking. Think about it screen is locked yet you can cntrl-alt f1 log into terminal kill Xscreensaver and unlock the screen. Yes killing the screen locker without unlocking should be terminate session not result in logged in. Yes OOM killer of the Linux kernel can also unlock a locked session if you are using XScreenSaver solution.
So 5 is we need to serous-ally start looking at graphical security.
There's a perfectly reasonable argument that all packages distributed by Debian are modified in some way
In fact this is not true as some of the maintainers of debian packages are the upstream developers themselves. So modified in some way excuse does not really fly. The question is why is Debian and other distributions having to build applications from source in the first place and cannot get by wrapping the upstream made package. Wait there is no upstream made binary packages in most case for Distributions to consider just wrapping.