It was unexpected. But could you feel it without experiencing?
I've used open source OS for a decade. It has changed my mind. I've never downloaded software from site. I trust community, not vendors. I use just one non open source application (slack) and I do not trust them, I'd rather run it in a sandbox.
My system comes with a framework to download, build, install any package with just a few commands:
$ yay -G foo
$ cd foo
$ makepkg -sei
I can inspect it and change it, and sometimes I do.
No other ecosystem comes close. Browser extensions and smartphone applications replicate some of it but
* it can be adware/spyware/malware
* it can change overnight, no one checks
* one gallery by popularity or by restriction
Even my closed source software comes from community maintained recipes, Windows finally got it with winget.
Oh, I know! Compare it with programming language package managers — gems, pip, cargo.
This is actually one of the major annoyances for me in Linux. Each distro has its own package manager and set of packages. Yay, yum, apt, pacman, dpkg, portage, the list is near endless and as each package manager needs a reason to exist, each will try to be different. For simple use cases such as installing a package, this is fine. But for example, finding out how to search for available packages can take quite some time on a new distro.
And having all these different package managers require me to either have blind trust in a lot of different communities, or spend a lot of time comparing CRCs and reading code.
This stance actually annoys me. Should we ditch all but one and only web browser? desktop environment? file manager? database? terminal? language? There it starts and where it ends? And who decides what the true form is?
I do not like apt, dpkg, aptitude — interface is not good, output extremely verbose by default and it was slow. Its existence does not annoy me as I do not use it anymore. I use pacman, but this annoys you, what should I do? Abandon it and fill the web with grieve?
Maybe you have to work with different distributions, it should not be hard to create (or google) wrapper https://github.com/icy/pacapt
Separate communities is Linux power. We do not argue on a true form, we solve our needs.
Maybe I'm kinda skewed because I started with Windows, but I don't feel difference between downloading e.g Firefox on Windows and typing `apt-get install nginx` on Linux.
Maybe because it requires "huge shittons" of effort to try to controle the software, and yet, at the end of the day I still have to trust somebody (OS, Drivers, ISP, Firmware/Hardware, Govt)
I just don't expect every developer to be an expert at packaging their app. There's a thousand things to think of, and they might do an unreasonable hack just to get away with distribution.
If you get your packages from a single source, you mostly have to trust that source (lower attack surface), and can be assured they will meet a minimum quality level.
Example oopses from valve (but really, most vendors have theirs):
I've used Windows for 10 years prior that. Maybe the difference is not touching Windows for 10 years.
Sure, it is about trust. Browser addons and language packages pushed by authors, this results in leftpad, spyware. Distributions dissolves authors power, provides buffer, they pull new versions, walk it through stages, there are many eyes and build is (often) reproducible, stable distributions pull only critical updates. Overall effect would not be as dramatic.
If you write it this way (without details) then how people can argue?
What's so scary? I think I'm using 99% of my software from an actual vendor sites and never felt that way. Also using things like virustotal.com.