Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

we have package managers in this day and age, lol.


do package managers make promises that they only distribute code that's been audited to not pwn you? I'm not sure I see the difference if I decided I'm going to run someone's software whether I install it with sudo apt install vs sudo curl | bash



You are already trusting the maintainers of your distro by running Software they compiled, if you installed anything via the package manager. So it's about the number of people.


This only applies to software distributed by your distro. For something as novel as Ollama, I severely doubt it's made it into anything other than the most bleeding edge(Arch and co). You'll have to wait a few years to get it into mainline Debian, Ubuntu, Fedora, etc. and of course it will be at a set version.


Debian considers this a feature. Choose a distro that fits your needs.


With reproducible builds you get to challenge the binaries provided by your distribution. See <https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...> for an example.


thats really cool, thanks for the link


ok, so, I think i am trusting fewer people if I just run the bash script provided by the people whose software i want to run


Sadly most of them kinda suck, especially for packagers.



Wrap it in homebrew and have ruby call out to sudo. Problem solved /s




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: