One thing I wish folks knew better about "Linux" that the annoying evangelists never seem to care to mention.

One of the most important differences from other platforms if *how you get your software*.

You don't download it from the author/publisher who might be (these days, is) bundling malware.

You don't get it from a walled garden with commercial incentives to let publishers hurt you.

You don't have to fumble around Google trying to find if the site offering it is reputable.

You get it from a party, usually made up of dedicated volunteers, who believe in the platform and who are vetting all the software they build and package for you. Usually the same one you got your base system from.

The threat of Mozilla is so much different when you're running Windows with Mozilla's auto-updater installed, or using snaps from Mozilla on Ubuntu (a distro that abdicated its role), or whatever on MacOS, etc.

Versus running a real Linux distro where the same people you trusted to put together a base system that works in your interests are also the ones building and shipping the Firefox source and able to omit anything exceedingly harmful before it gets to you.

@draeath @ska @navi @wouter @dalias @SRAZKVT there’s also https://debr.mirbsd.org/repos/wtf/mkdebidx.sh

I take care of cleaning up old versions myself by using a different structure, not the dists-vs-pool structure of dak, symlinking entire source package directories to make them show up in another suite, and hardlinking shared origtgz files.

Much, much easier.

That script also generates a package index, which takes a relatively long time. But it’s been battle-tested during the m68k revival 2012-2015… and a company-local mirror of lenny (IIRC) updates back then when we still needed it but the signature on archive.d.o had already expired.

What it also lacks is the ability to cache hashes for unchanged files, but even so, it works fine for its scope (smaller or personal repos).

It is capable of outputting for different architectures at once, rebuilding only for a subset of releases, Release.gpg vs. InRelease, and… huh, I forgot while writing this.

@draeath @SRAZKVT @wouter @ska @navi @dalias (one practical tip: run echo | gpg --clearsign before it (twice, to verify the second run doesn’t need a pw) to prime the agent, so you won’t have to enter the PGP password several times during running it; I had to disable pinentry there due to some problems)

@dalias They're able to, but I don't think any have? Generally speaking, the closest any distros really do is just integrating specific packages, but other than choosing Firefox-ESR over mainline Firefox, I just don't see much at the distro level... Unfortunately, Firefox-ESR isn't immune...

Honestly though, the most fundamental issue is the same all around: that they keep doing harmful things right there in the very base code itself. I'm seeing forks that are doing their best to manually clean it up and they're working really hard to compensate, but then you see stuff like something slipping through in LibreWolf and you know there are too few devs and not enough spoons and stuff is going to always slip through.

In the end, the fundamental issue is Mozilla itself.

@nazokiyoubinbou @dalias distros are able to package most programs in a way that strips out harmful features, but ironically firefox is one exception where it's so difficult to package that even Debian has a mozilla employee (who is also a DD) doing that work

even before the LLM brainworms took over, they had a conflict of interest where features like pocket shipped in the apt version of firefox despite being overwhelmingly unpopular

(all this not to detract from your overall point which is correct and awesome, but it would be better to find a different example than Mozilla)