Please be patient with a terse reply, I'm typing on my phone :)
Yes, I mostly agree about compiled binaries. It's useful to be ABLE to inspect the source, but for what I'm doing I usually don't have any reason to , or ability to.
But there's a spectrum of "automatic". Someone else compiling the binary is still quite close to the low end of the automatic scale if you manually download the binary, once. I think the thing about package managers is that they represent a trend where it's increasingly useful/inevitable to rely on quite a few libraries for fairly necessary things, which typically have further libraries as dependencies, and typically have some reason you NEED to update some of them and can't just leave them all as you originally downloaded them. And/or the package manager encourages and makes easier a workflow where they're frequently updated.
Also note the "code from package repository automatically downloaded and run as part of the BUILD process", which is another step of automatically trusting package repository code, even if you weren't realistically going to audit it before running it.
no subject
Date: 2024-06-20 07:58 pm (UTC)Yes, I mostly agree about compiled binaries. It's useful to be ABLE to inspect the source, but for what I'm doing I usually don't have any reason to , or ability to.
But there's a spectrum of "automatic". Someone else compiling the binary is still quite close to the low end of the automatic scale if you manually download the binary, once. I think the thing about package managers is that they represent a trend where it's increasingly useful/inevitable to rely on quite a few libraries for fairly necessary things, which typically have further libraries as dependencies, and typically have some reason you NEED to update some of them and can't just leave them all as you originally downloaded them. And/or the package manager encourages and makes easier a workflow where they're frequently updated.
Also note the "code from package repository automatically downloaded and run as part of the BUILD process", which is another step of automatically trusting package repository code, even if you weren't realistically going to audit it before running it.