On Sun, 2023-06-18 at 15:24 +0100, Polarian wrote: > So I don't find the entire "Oh the library can be replaced with a > malicious one" to be a good reason.
At least the one and only shared library needs to be replaced, a task that isn't that easy to do, while the 300 outdated libraries of different versions of the same library that isn't shared, suffer from countless exploits and nobody is able to oversee it. I can't stand snap, flatpack and Co.. I have to take your reasonable paranoia one step further. Even someone who builds packages in their free time for free can be bought by the NSA. On the other hand, developers of proprietary software can follow the highest ethical standards. Do you remember "Heartbleed"? We owe that to someone who has successfully completed his doctorate with this achievement. A PhD student who overestimates his skills can be worse than a traitor.
