[conspire] Thank you

Rick Moen rick at linuxmafia.com
Tue Jul 26 22:00:29 PDT 2011


Quoting Tony Godshall (tony at of.net):

> Um.  I'd qualify this.  Better be a site you have reason to trust.

To be sure.  (Quibble:  Not actually the site; the code's ggp-signer.)

That trust could be based on significant word of mouth, over time, among
an active user community whom you think you can trust to not _all_ be
total idiots.  ;->  Fortunately, that's a pretty common scenario,
really.

Building a locally compiled copy from a source package you grabbed from
your distro's repository of bleeding-edge packages is a useful variation 
that fits somewhere in there, and I didn't mention it specifically.
Anyway, if I may recap the reasoning:

1.  Maintained software is preferable.
2.  Distro-tailored packages (as opposed to upstream) are preferable.
3.  Software installed via your package manager (as opposed to merely 
    compiling from a tarball without package hooks) is preferable.
4.  Software signed by people you have reason to trust is preferable
    over software from you-aren't-really-clear-who.

Many Linux newcomers shortchange themselves, by missing chances to gain 
one or more of those advantages, making unwise choices for their
software sourcing.  In particular, newcomers read articles citing
upstream developer URLs without understanding that they should _not_ 
download upstream source tarballs unless efforts to find better
(maintained, distro-specific, packaged, trustably signed) software
sources have failed.





More information about the conspire mailing list