💾 Archived View for tilde.pink › ~kaction › log › 2021-09-18.1.gmi captured on 2022-04-28 at 17:23:52. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2023-01-29)

-=-=-=-=-=-=-

Generation of curl | sh

I just finished the packaging application for nixpkgs. It took me several hours, the lion's share of which was spent on eradicating opt-out telemetry so the end-user would never know it ever was there.

One of many reasons to strongly prefer distributions over raw "go/cabal/cpan/pip install" is an increased chance that somebody along the line spent time and effort purging such jerkiness. Not all distributions are equal in this regard, though.

https://drewdevault.com/2019/12/09/Developers-shouldnt-distribute.html

Debian and his famous "privacy-breach-generic" Linitan tag used to be very steadfast at guarding user's privacy and making maintainers care. From what I can tell, looking at the list of overrides is not the case anymore.

https://lintian.debian.org/tags/privacy-breach-generic

But if Debian is in decadence, nixpkgs outright sucks at protecting user's privacy. By design. I still maintain that Nix is technologically superior to all other package managers, yet the attitude of the nixpkgs community is disturbing.

You can't be sure the nixpkgs maintainer will rebuild the package from the source instead of using upstream's binary release, let alone fix privacy breaches. Sometimes maintainers even reject patches on "maintainability" grounds. Deliberately trading user's privacy for maintainer convenience strikes devilish to me, but it is what it is.

https://github.com/NixOS/nixpkgs/commit/a54d2e72e282f2bc68c49f82c735cf664244ec75

https://github.com/NixOS/nixpkgs/pull/119861

Laziness of maintainers? Yeah. But there is more to it. All latest developments of programming languages are about making development of individual programs more accessible, not about building a coherent operating system.

For example, Go language has no concept of dependency versioning -- all dependencies pinned to the specific git commit. Good for reproducibility and debugging of individual packages, tremendous extra work for the system as a whole. Debian still fights vendoring, but it is an uphill battle, and it already made a concession to the monstrosity of Kubernetes. No surprise.

https://lwn.net/Articles/843313/

Quantity trumps quality. The old school lost, generation of "curl | sh" won. Those who care -- we are few and are at our own.

(2021-09-29) Drew DeVault wrote optimistic article on same topic.

https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html