Debian is not cautious with the dependencies. Debian breaks a lot of what they ship, sometimes flagrantly like removing a whole feature, sometimes insiduously by introducing new bugs. I don't really care that Debian doesn't view it as breaking things. From my point of view, users trying to get my product get subpar experience in a way which is far from explicit.
I personally wouldn't use Debian but people are free to do whatever they want. I don't want to waste my time dealing with Debian maintainers and how they think software should work however. I advise all software developers to do the same and am vocal about it because it's easy to get guilt tripped in the idea that you should somehow support their users because they want to use your product or that introducing changes to support their esoteric targets somehow make sense because they have done the work despite the burden of futur support actually landing on you.
I want to make clear to people who decide they have no interest in it that they are not alone and it's perfectly fine.
And to be clear, I am singling Debian here because they are by far the worst offender when it comes to patching but the comment applies equaly to any distributions that apply invasive patches.
Debian IS more cautious with dependencies, in that you won't get hidden dependencies that aren't in the repos.
I don't want to install an app that downloads and executes 500 node packages that I don't know what they do. Those packages should already be vetted and in Debian. If not, then I'm not interested.
Side stepping the distro repos for dependencies for software in the repos leads to unexpected behavior.
> Debian IS more cautious with dependencies, in that you won't get hidden dependencies that aren't in the repos.
For a definition of cautious I don't personally share.
Debian doesn't vet packages. Debian maintainers are less competent than the "upstream" they question approximately all the time, which is why they keep breaking stuff in more or less severe way (OpenSLL anyone?). And let's not even talk about the insane stuff like when maitainers decide to support a fork they like instead of the piece of software users actually want (Libav anyone?).
> If not, then I'm not interested.
And that's your choice. That doesn't mean developers should care, nor that it is actually a good idea.
Eventually, someone must take source code and build and package the software.
When it's Debian maintainers, one at least knows the rules they are operating by.
For random people on the internet, it's usually more difficult to evaluate, vet them, and trust what they are doing.
Of course, I don't know you personally nor any software package that you are releasing so this is not an observation directed to you.
I can agree that debian maintainers are generally more incompetent, but they do actually vet dependencies for conforming to Debian ideology.
Upstream may be developing malware, they may be adding telemetry or ads. So if we just allow them to install 500 node packages that we don't know what they do... That's suspicious. That's asking for trouble.
Debian keeps a tight control on its supply chain. Its not perfect or bug free - but, it is within Debians goals.
So if you want a free distro with almost completely free sources, then Debian is really one of your only choices.
I personally wouldn't use Debian but people are free to do whatever they want. I don't want to waste my time dealing with Debian maintainers and how they think software should work however. I advise all software developers to do the same and am vocal about it because it's easy to get guilt tripped in the idea that you should somehow support their users because they want to use your product or that introducing changes to support their esoteric targets somehow make sense because they have done the work despite the burden of futur support actually landing on you.
I want to make clear to people who decide they have no interest in it that they are not alone and it's perfectly fine.
And to be clear, I am singling Debian here because they are by far the worst offender when it comes to patching but the comment applies equaly to any distributions that apply invasive patches.