logoalt Hacker News

marcinostefanotoday at 6:27 PM2 repliesview on HN

Why not for developers? You can install tools from flatpak or in home directory. My workflow includes toolbox containers. Distrobox is also good option.


Replies

michaelmrosetoday at 6:51 PM

Many flatpaks aren't actually maintained by the actual developer nor the normal way the package is normally used. You may have bugs that aren't present in the package that the dev isn't aware of or interested in fixing especially if they support a different channel and the bug relates to sandboxing.

There is also a risk that the person may be malicious from the start, sell out, or simply get malware. Given the nature of the ecosystem a malicious release to a previously safe package could propagate incredibly quickly.

Where there are multiple steps for a package to get from developers machine to yours and each is slow enough for malicious behavior to be noticed each step adds friction and decreases the chance of ultimate success. Where all steps are nearly simultaneous your risk multiplies with each step in which a different person has their hands in it and if any of them are malicious or compromised you are screwed.

admax88qqqtoday at 6:34 PM

mostly i'm trying to get out of the terminal and most IDEs don't understand devbox/distrobox well without lots of finagling.

show 2 replies