> If you crash your car, you are liable for the accident.

Because I didn’t go through all the blueprints and find the flaw that led to the crash. This is a dumb argument. It’s also the one the AUR appears to be making.

No, it's completely valid. The arch home page warns you that you're the one responsible for your system, and get to keep both pieces when something breaks. Everything is assembled with this philosophy in mind. This message is reinforced ten times more before the system is even installed and is up and running.

If this is not for you, that's fine, but it's been working very well for some of us for... decades, at this point? I'm not amused by the amount of people here wanting to turn arch into another Ubuntu, most of them having zero familiarity with how the AUR works, or arch more generally.

>but it's been working very well for some of us for... decades, at this point?

but it's worth asking why it's been working well. Has it been working well simply because it's been a niche ecosystem, or even because you wouldn't have known if it didn't because nobody did security audits?

The Arch distribution model, which operates like the Javascript ecosystem, as in having a barebones core and then a zoo of unregulated third party community packages does not seem fine these days. As it became more popular it has naturally drawn attention and from that moment on you're just screwed because you have no security infrastructure. Arch pretty much lived off security through obscurity.

And in particular with the popularity of these spin offs, I forgot what the name of the tiling wm thing is that got very popular, I think a lot of users are not aware that they're doing the software equivalent of buying medicine off craigslist

> The Arch distribution model, which operates like the Javascript ecosystem, as in having a barebones core and then a zoo of unregulated third party community packages does not seem fine these days

It's hard to take the rest of your comment seriously when you don't seem to have a basic understanding of the parts involved here. Arch's distribution model isn't at all like npm (which I guess is what you're actually talking about here), but the AUR specifically is pretty similar to npm. But the AUR isn't Arch's main distribution model, and the official Arch repositories contain a ton of packages in the core, so not even the "barebones core" is correct here.

Arch has pretty much lived off the experience of its users, which is the entire purpose and value-proposition of the OS. You want someone else to be responsible, you're welcome to use the countless of other distributions, Arch is quite literally not the OS for a "Don't read anything and press Update, hope for the best" experience, and I hope the core team continues to push back against that, which they've done for decades at this point.

It's sad, because overall you have a point somewhere there but the big misconceptions kind of hide that message though.

>But the AUR isn't Arch's main distribution model, and the official Arch repositories contain a ton of packages in the core, so not even the "barebones core" is correct here.

I don't think that narrative is supported by the numbers. Arch's repositories are about a magnitude smaller than either the AUR or "batteries included" distributions like Debian. (about 10k to 100k packages), there are more people using Arch derivatives than arch, and according to some community polls, granted I can't verify their methodology, something north of 90% of arch users use the AUR.

If you look at the most popular packages in the AUR, it's the most popular web browsers, virtually every VPN client, popular professional software like davinci, incredibly popular messaging clients, Spotify, Zoom, billion+ userbase software and the vast majority of password managers.

And if you look at who maintains those, it isn't the company, in many cases it's a random pseudonymous user who doesn't show up on Google. And I don't get this strange aggressive tone of suggesting I use something else. I do already, because as should be obvious I think that's a bonkers security model, but it deserves to be pointed out.

I do not think that the majority of people running arch today in practice realizes that their password manager they installed from that repo everyone uses is managed by an absolutely random person on the internet.

> I don't think that narrative is supported by the numbers

Why are you looking at numbers? Arch Linux's official way of distributing software to it's users are the repositories called "core", "extra" and "multilib", anything else than those are "unofficial" and user's responsibility to how they handle it. No need to look at any numbers, literally go to Arch Linux's website and read how it works if you don't know since before.

> there are more people using Arch derivatives than arch

May be, find it hard to believe that's true outside of gaming, but regardless, that doesn't mean suddenly the AUR becomes safe. And if the complaint is about how these Arch-derivitives educate their users, go to their message boards and share this, that has little to do with Arch Linux itself, literally why there are multiple distributions in the first place.

> something north of 90% of arch users use the AUR.

Yes, like me, and probably every other Arch Linux user. I'm sure every developer on macOS at one time uses the terminal, does that mean "rm -rf" suddenly needs to go away?

> it's a random pseudonymous user who doesn't show up on Google

So what, why it matters? All that matters is that the package does what you expect, and use official sources if that's the point. My password manager's AUR package is built by someone I don't even recall the username of, is this a problem in practice? No, because I do what my OS tells me and reviews random 3rd party software I download from the internet. Every time I upgrade, I see that the only thing changing is the URL which points to the official domain, and a content-hash, that's it. The user could be a pirate in Somalia for all I care.

> I do not think that the majority of people running arch today in practice realizes that their password manager they installed from that repo everyone uses is managed by an absolutely random person on the internet.

I think if you look at a certain sub-section of users who install and do things without thinking, you're absolutely correct. But I don't think the rest of the user base who uses Arch for the very value proposition it offers, should suffer because there is a small sub-section of users who install OSes based on what influencers are pushing to their viewers today.

Nope, the war in Iran is testament to that.

Using "literally" doesn't make your comment factual; it's one reason, but also I just think they're neat.

That is, they're more collectible than CDs in my opinion. Bigger packaging for better artwork, something physical and relatively sturdy, etc.

It pays to be suspicious of those who tell you you can’t make an honest living.

Huh, I've always been suspicious of folks claiming the opposite.

For the downvoters, have you ever tried to explicitly map your externalities?

What does mapping your externalities have to do with honesty? Is this a poor attempt to suggest that no one can actually be honest because no one has a full understanding of the entire universe? Because that's just a lazy excuse for not trying to be honest and not really worth being in the debate.

Having externalities does not mean you are dishonest. Hell, you can even ignore your externalities and still be honest. You can even outright steal from people and still be honest.

If / when that arrives, I suspect it would be more welcome than what we have right now.

Yeah, but then generally you pick the language your dev team are most familiar with.

Or you hire a team of specialists for the language you want. Perhaps niche languages should have fine-tuned LLMs in the same way.

That’s the second C-suite I’ve seen on here today posting about how your entitlement to things should be directly proportional to your wealth.

Has a new memo gone out? Have we moved on from AI to ultracapitalism as the c-suite talking point?

LPEs are really not impressive enough to warrant names and websites.

Make it illegal to sell tickets above face value.

I was a big fan of what the Cure did, they played our town and they did not allow any tickets to be resold for anything above what they originally went for.

Non-transferable I think? But you could resell them via ticketmaster maybe for facevalue?

It was amazing, we sat on the ticketmaster page, refreshed over the course of a day and we got 8th row for I believe $75 - it was an amazing concert, and being able to pay a reasonable price for tickets like that was amazing.

willingness to stand in line for a ticket probably correlates well with fandom

Standing in line is (today) a digital process that a scalper can trivially scale

It seems unlikely they'd continue to do do that if they weren't able to flip it at a higher price later

X$ for the ticket plus a convenience fee/service fee for standing in line.

It seems baked into the concept of "reselling can't be done at a higher value" that transfers would have to be limited to a platform where that sort of thing is prevented. For example, if the reselling market is just "add your ticket to the pool for people to buy, and if someone does, they get the ticket and you get the money", there's no way for the sellers to contact the buyers, so I'm not sure how you'd envision an out-of-band payment occurring.

Why bother if there’s no profit?

How does willingness to pay more money not correlate with fandom?

Willingness to pay is not the same as ability to pay.