cmeerw

You don't really need to switch to a different distro. Just avoid snaps/flatpack/... and use a more lightweight desktop like XFCE and you should be fine.

Known-good meaning a tested and working configuration The bugs are fixed upstream and they get pushed via the method of distribution, which is Flathub in this case. Well, fixes don’t normally need to be backported because flatpaks are usually fresh.

There are a few assumptions in here in order for that to work: the known-good version needs to be the latest upstream version (otherwise you might not have the latest security fixes) and users need to be comfortable always using the latest flatpak version. Some users might be more comfortable staying on a known stable version for some time.

For notifications, you’d have to follow the relevant projects directly.

Right, and each project will have its own way of handling security issues (particularly when it comes to older versions). Will they point out that versions x - y of their flatpak are affected by a security issue in component z?

Flatpaks can guarantee you have a known-good dependency chain directly tested by the developers/maintainers themselves

What does known-good mean? What if a security vulnerability is found in one of the dependencies. With an old-style distribution there is a security team that monitors security reports and they will provide a fixed package. With flatpaks it's not clear to me if those developers will monitor each dependency for security vulnerabilities and how they will handle that. Will users even be informed about a security issue, will a fix be backported or will it only be available in the latest version?

and newer versions won’t run due to library dependencies.

Mozilla seem to be able to limit library dependencies in their builds: https://www.mozilla.org/en-US/firefox/system-requirements/

But are they actually doing this? I am not seeing any changes: https://launchpad.net/~mozillateam/+archive/ubuntu/ppa still has the .deb packages

You mean like https://manpages.ubuntu.com/manpages/jammy/en/man8/snap.8.html

Still better than a random user claiming

This is a massive security vulnerability

with no justification whatsoever.

Verifying a snap package’s authenticity seems to suggest otherwise. What's the source for your claim?

Was there even a change to the Firefox PPA? I am not seeing a change.

That link appears to be for a Windows driver.

The description says:

In this video, we'll do a deep dive on what C++ Polymorphism is, what "virtual" does under the hood, and ultimately why it is SUCH a performance hit compared to languages like C and Rust.

This is not about compile-time polymorphism.

It would have helped if you had actually posted a link to the correct web site.

Do you mean huntr.dev then? hunter.dev redirects to https://www.linkedin.com/in/williamhuntermitchell

Edit: not sure, huntr.dev says "We accept vulnerability disclosures in most public repositories on GitHub."