I’m not the most tinfoil-hat–wearing hacker in the world but here’s a minimum baseline I want all package managers, especially programming-language–specific package managers, to have:
I want to be sure that the binary I’m getting is compiled from a particular commit in the source VC. I’m not talking about “pinning to an old version for the sake of reproducible builds” here, that’s a feature with pros and cons that I’m neutral on, I’m talking about verification. To be able to know that “OK, this binary came from this source”. It’s not the be-all-end-all to malware since obfuscation exists but that’s why I call it a baseline.
That’s it. A one item wishlist.
I’ve always been pretty comfy with the official Debian-provided debs. Even a mirror is subjected to checksums, and there are e2e signatures. Third-party PPA’s are another story, and I’m not too fond of them (Third-party Debian source packages would be a great fix there), but growing up in the safe embrace of vanilla Debian and then coming to the world of waittaminute you want me to run what command on what now!? has been a wild ride.
I know that in the bigger dependencies debate, there’s arguments about few big dependencies vs many small, NIH vs code reuse etc. That’s gonna take a while to sort out. But the bare minimum for a binary package is some sorta paper trail on how it got made.
Goreleaser, I’m especially calling you out in this. You make high-quality debs but the binaries in those debs might as well be blobs from Planet X for all I know. I can trace the build to a Github “action” being run on such and such tag but then I need to trust Github, and the creators of that particular action i.e. you.
Now it’s possible that some of the package systems I’m slagging here, whether or not I named them by name in this post or not, do have some a solution for this. That’s great! That’s a win for everyone if that’s the case. Please make that solution a li’l easier to find.
Right, no-one owes me or anyone this. I know. These are just a pair of cents tossed into the crumpled paper cup on the street called “design discourse” and probably worth as little, too. Thanks for reading anyway.♥︎