I'd go for open source projects. They usually have bigger code bases and good practices, that they enforce on their contributors with code reviews and such.
It's a good way to get feedback on your code, something miss out on personal projects and get much less of in university and corporate projects.
I never said that you can not run a project elsewhere, my point is that you will get way more interaction on github.
Try pushing your project to github and compare the interactions you get from both forges.
When I last checked (and that is a long time ago!) it ran everywhere, but did only sandbox the application on ubuntu -- while the website claimed cross distribution and secure.
That burned all the trust I had into snaps, I have not looked at them again. Flatpaks work great for me, there is no need to switch to a wannabe walled garden which may or may not work as advertised.
Plugins are a code execution vulnerability by design;-) Especially with binary plugins you can call/access/inspect everything the program itself can. All UI toolkits make heavy use of plugins, so you can not avoid those with almost all UI applications.
There are non-UI applications with similar problems though.
Running anything with network access as root is an extra risk that effects UI and non-UI applications in the same way.
Last time I tried it was an apt install followed by a reboot. If your distribution claims to support several inits and it is harder than that: Your distribution did a poor job.
Where are those "many of us"?
It is what the CI uses for testing. If several layers of people decide to not do their job and you have no hardware in your network that announces the DNS servers to use like basically everybody has, then those CI settings might leak through to the occassional user. Even then, at least there is network: Somebody that can't be arsed to configure their network or pick any semi-private distribution will probably prefer that.
Absolutely no issue here, nothing to see.
Build everything you use and ackage it in flatpak?
It's not even that hard to build your own gentoo-based runtimes and install stuff on top of that. Fedora does offer that, too, offering fatpaks based on their own fedora based runtime + rpms.
Yeap, it is always the same set of poorly researched links that get pasted in threads like this.
Unix philosophy, evil corporate interests, insecure, bloated, entangled mess... it is these individuals thatbhave seen the light, notnthe silent majority that does all the work in distributions and when developing software that kind of opted withbtheir feet.
Librewolf
Maintaining a browser is a huge endeaver. Using some random browser that is maintained by a a lone person or maybe even a handful of developers basically guarantees that the whole thing is insecure. This is especially true when keeping functionality around that was removed in the "main" browser to improve security there. One example is the old plugin system that firefox replaced with a more secure one with less hooks into the core engine, breaking some old plugins.
Stay with mainstream browsers folks and install some plugins to improve them that way. At least you get patches asap.
supply chain attacks are a serious problem that needs addressing.
Last I checked: I am not a supplier. So I will not invest effort to secure some supply chain for people that I do not have any obligations to: The license clearly states "no warranty" for a reason. I do those projects for fun, not to bother me with security stuff, notifications about security problems some automatic thing "found" that do not really effect my code and bogus merge requests to upgrade dependencies for no reason... this are all cool things if you are a supplier, do not get me wrong, but I am not. No, I will not invest hours of my free time to sign binaries nobody uses either or to fill out security surveys for badges I can display on github.
If you want me to act like a supplier: Pay me like all the other suppliers you have. I doubt there is any interest to do so for the projects I have on my private github :-)
For your own projects, it might be worth considering a move away from GitHub. (I've been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.
That also has associated costs: Your project gets instantly much less visible, so you need to keep a mirror on github for visibility. Unfortunately that also means that you will also get interactions on github, so you will need to log in occasionally to not make people think the project is dead.
Not at all: I listed the arguments you will get for that question of yours. They all are bogus, as I tried to explain between the parens.
Any of the many immutable distros (vanilla os, fedora silverblue, bluefin, aeon, endless os, pure os, ...) will all obviously work.
Most of your customizations will live in your home directory anyway, so the details of the host OS do not matter too much. As long as it comes with the UI you like, you will be mostly fine. And yku said you like gnome, that installs many apps from flathub anyway and they work just fine from there.
For development work you just set up a distrobox/toolbox container and are ready to go with everything you need. I much prefer that over working on the "real system" as I can have different environments for different projects and do not have to polute my system with all kinds of dependencies that are useless to the functionality of my system.
NixOS is ofmcourse also an option and is quasi-immutable, but it is also much more complicated to manage.