<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">On Thu, Sep 18, 2025 at 9:52\u202fAM Jason Locklin via kwlug-disc <<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>> wrote:</div></div><div class="gmail_quote gmail_quote_container"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Speaking of "watering holes" and supply chains, for those of us not neck deep in Linux software distribution, it's getting very difficult to follow all the different software sources. Years ago, I mostly just used the debian repos for everything (and CRAN - because dayjob)*. Now, we have all the container type repos and so many projects seem to heavily recommend one or another to keep up. Because of the convenience of docker-compose, docker is a big one, but I've used nix, flatpak, snap, and those language specific managers like npm, cargo, pip(x), etc. Unfortunately, I've seen "curl to bash" come up a lot more lately with small hobby projects too (I've occasionally run this with distrobox to at least contain it).<br>
<br>
So my question is, what is your decision tree for choosing sources to install software from? How trustworthy do you consider the various sources? Any no-go's?</blockquote><div><br></div><div style="font-size:small" class="gmail_default">For me, I tend to use Ubuntu's repositories exclusively (which are mostly Debian, plus some other stuff).</div><div style="font-size:small" class="gmail_default">But a long time ago (~ 20+ years) it became apparent that exceptions have to be made.</div><div style="font-size:small" class="gmail_default">It started with Drupal. Because it is fast moving, a Debian package becomes obsolete within months. <br></div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">My current policy is to stick with Ubuntu repositories, unless there is a very good reason to install through another channel.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Snap is the first thing I uninstall on an Ubuntu machine (whether servers or desktops), so nothing from there. <br></div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Python pip is used for some applications that I wrote, but those are not net facing, so security is not much of a concern.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Home Assistant now runs as docker-compose images, because the project forced this as the only practical method for those who don't want to install HAOS (a custom operating system just for Home Assistant).</div><div style="font-size:small" class="gmail_default">I don't go crazy with containers otherwise, despite this being fashionable nowadays.</div><div style="font-size:small" class="gmail_default">For example, the 'normal way' of running Home Assistant on a Raspberry Pi that has Ubuntu Server 24.04 LTS, would require several other images in docker (MySQL, InfluxDB or VictoriaMetrics, Grafana, and much more).</div><div style="font-size:small" class="gmail_default">I opt to run these from Debian packages, and drop any that don't have such an option (e.g. VictoriaMetrics, but also for other reasons such as inability to delete rows that have erroneous values). <br></div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Yes, it is a complicated world we have now (on so many levels, not just software or FLOSS) ...<br></div></div></div>