I proposed this project to improve on Radicle's p2p model by using Tor for universal, straightforward seeding of git repos.
Original discussion thread - https://bounties.monero.social/posts/207/
One of the project's git repos linked in that thread - https://radicle.network/nodes/iris.radicle.network/rad:z2ydYmUCJvDfNFTVTpEbQmm55EPt1/history
Project website - https://cradicle.xyz/
The dev who took the project also expanded it into a project to reimplement Radicle in C.
Since I'm not a coder and I don't have any git repos of my own, I can only test from the viewpoint of an average layman using the GUI app to seed repos.
It's impossible for me to properly gauge how the project is progressing without engagement from coders who try using it for their git repos.
If the project doesn't currently interest you, your suggestions on how to start getting users on board would also be welcome.
Edit - bear in mind that because decentralized discussion platforms like this are currently quite broken, there are comments showing up in the thread when I'm not signed in that don't show up for me when I'm signed in. Here's a screenshot of all the comments showing up for me right now where I'm signed in and able to reply, as of UNIX time 1779670288
I'd encourage discussion of this project moreso on nostr (equally broken but my preferred platform) or the discussion thread linked above (seemingly more functional)
And here the myth shows its head. No one is actually "vetting" 10s of thousand of packages, to a meaningful degree.
And all distros have rolling channels and testing channels, so the every X years part is mythical itself.
In the case of Debian, when is the mythical vetting taking place exactly? Whenever a Debian unstable/sid package gets updated? That's a rolling repo.
Or is it when world is frozen, and the unvetted packages which lived happily in "unstable" and "testing" will now magically get vetted on their way to "stable", in a few months (not six years as you imagined).
You clearly lack basic knowledge about what actually goes on in a distro release cycle.
You missed the point.
crates.iois a source registry. Debian ships binary packages (yes, including rust ones).Where do you think Debian gets source packages for C or C++ from? Did you think they get them in the (physical) mailbox? π
As for dynamic linking, the "security" argument for it has been discussed and debunked. You can search the web for discussions regarding that. Most arguments for
.sohas been debunked, in fact.Nothing is "automatic" when it comes to distro maintenance. Much more so when an upstream doesn't give a f*** about helping you patch your X years old version. If Red Hat, Canonical, ...etc wasn't actively paying developers to do maintenance, Debian wouldn't exist as it is. But even then, that only covers a very small fraction of core packages.
Pinning and vendoring are orthogonal.
The original talking points were about source supply chains. But people like you seem to confuse concerns across multiple chains from the individual upstream dev to the binary distro repo mirror.
Pinning is actually the only way to actually (almost*) guarantee that built code would work correctly. What distros sell you is "should work" and "API looks compatible" and "this patch hopefully doesn't break the interface".
And more ironically, why distros do is global pinning, so the problem is apparently not pinning itself, but upstreams choosing the pinning themselves, right? right?
"But they don't fully pin.. security updates smth smth"
Good. Let's continue..
Good.
The next best thing to pinning is semver-compatible updates.
Now you have an example where you will see that to "fix all CVEs", you need to run the total of TWO whopping commands.
You ran the first command already. The second is
cargo update(orcargo update <only_audit_mentioned_packages>if you want to be more precise.cargo updateonly does semver-compatible updates, as released, authorized, and supported by the upstreams, whose knowledge of the code and its interfaces infinitely trumps your random distro maintainer doing raw patching. This is how a coherent competent ecosystem operates.Some of what the distros do is actually not far away from this. If you looked close enough, you will find that it's not rare for a stated "frozen" version to be a complete lie, with distro patches effectively updating the distro source package to a later patch, or sometimes even minor version, without changing the version number.
But of course, they wouldn't tell you about any of that, because the myths must live on π.
While not completely misplaced, your confidence is inspiring π.