Trusting Linux Distribution

Why are we sure a package that is part of a linux distribution (Debian, Fedora, etc.) is trustworthy?

I guess it must depends on the distribution’s internal procedures and I know e.g. Debian has sid, testing and stable but my question is more: Is there somebody at e.g. Debian that checks the source code of packages before incorporating them in the distribution?

If not, how do they ensure they do not put crap in their distribution?

Thanks in advance.

2 Likes

Linux is more trustworthy because you can read (and presumably understand) and compile the source code and plug the compiled binaries back into the app/program. If it works, then it is reproducible and is binary compatible with the whole thing then we can say the code is legit.

Lots of people do this as volunteers or as part of their work under Canonical, RedHat, SuSE etc. So the code is more on the side of trustworthy. The smaller distros, probably slightly less so, especially the more niche you go.

Dont get me wrong, people do get crap inside their code by using malicious libraries like the ones that happened in python, if i recall correctly. So in the end, you still have to be vigilant. In the end, the risk of potentially malicious apps getting inside your computer is proportional to the amount of apps inside your computers. Sandbox/Use VMs/isolate apps as needed.

1 Like

Protonmail can become evil tomorrow, signal too! (stop booing at me, it’s an example)


all i want to say that, the trust in the developers team. — as you trust in signal that they compile their app without any new logging stuff. same on linux distros. and to answer on your main question, i’m sure big famous distros like debian or arch linux people look at them