| ▲ | madeofpalk 4 days ago | ||||||||||||||||
> Ironically, just after posting that I came across this, which I think proves why my concern is warranted: https://news.ycombinator.com/item?id=45169657 > Debian isn't immune to this, but it's much harder for such an attack to be successful when dependencies aren't constantly changing. Immich is more immune to this issue because they wait 5 days before raising PRs to bump dependencies, which is a good practice https://github.com/immich-app/.github/blob/main/renovate-con... | |||||||||||||||||
| ▲ | rlpb 3 days ago | parent [-] | ||||||||||||||||
OK, more maybe, but that is nothing next to Debian, where a huge Debian userbase settles on a single set of versions for all dependencies for a year (usually more) at a time. | |||||||||||||||||
| |||||||||||||||||