Risk is equal to severity of the outcome multiplied by the chance of that outcome. If I were running a bank, I'd probably be very careful about what Linux distros I use. But for my own personal data, I don't think the CCP or Russia are going to be able to do anything meaningful based on my RedTube browsing history or my Wikipedia deep dives into penguin morphology.
phendrenad2 | 11 days ago
[flagged]
computer7050 | 12 days ago
Well as long as we can't formally enforce security and end to end verify hw+sw we'll have to live with varying amounts of trust and checks.
Wrt reproducibility: NixOS minimal ISO is now 99+%, GNOME ISO at ~95% (measured heuristically as described there): https://reproducible.nixos.org
Didn't realize they have gotten this far already!
The actual problem lies in the code that is packaged... A dev sneaking in malware in the CI/CD pipeline would paint a huge target on their back because it's easy to detect and normally few well-known members get to control this. Including malicious code in an obscure dependency however...