Hello, this topic might sound a bit trollish. I am fairly new to the open source community so please forgive me if I come out as rude.
I have tested dietpi and like some of the convenience and no bloat. That said I always try to be security conscious and never run github scripts before auditing them. This brings me to my question, how can I be sure DietPi scripts are safe and there will never be any nefarious update (people and devs change, projects get highjacked or sold etc.)? I am concerned cause I plan to run password manager and s2s vpn tunnel on my arm device.
I do not have the time nor am knowledgeable enough to audit every script it has. Please note, it is not my intention to undermine the credibility of the devs, who I think are doing an awesome work, I just want to know how people approach this topic. I know one could make the same argument for any other distribution but with Raspbian there are just way too many people involved. So does using DietPi mean that I just have to accept running third party scripts within my risk assessment model?
Basically DietPi scripts is mainly developed by 1-2 person. However as base image, we use Raspberry OS on Raspberry Pi device. Just with reduced amount of apt packages installed and some configuration tweaks, plus user friendly automation scripts.
In general I would consider DietPi as save and each script/code can be reviewed ok GitHub by everyone interested in. If there is a new version available, it will be announced by the system but no update is applied without user activity. Usually updates for DietPi will be announced on GitHub, our website, on our online docs, on this forum and on social media. Before applying any update you have the chance to review all changes done. Don’t hesitate to ask, if you are unsure on an update.
For software installation we will use apt repository from Debian, Raspbian or from specific software providers who offer an own apt repository. But we don’t have any control about them. Means, running apt update && apt upgrade will update apt packages you have installed, not DietPi scripts.
Thank you for your helpful response. Now I understand better what DietPi actually is and consider this model secure enough.
ok good. Don’t hesitate to ask if there are further questions 