@federico3 yes, that is a problem, but I don't see how OS packages can be a solution.

@federico3 @typish most distributions¹ don't allow random people to upload software to their repositories, which is the vector used by most of those attacks; instead there are at least basic quality checks and reputation based incentives to prevent obviously malicious code from entering the distribution.

¹ yes, I know about AUR. you're not supposed to use AUR in production. yes, people do, like they use pypi etc. in production.
Follow

@valhalla @federico3 I meant that there are reasons why the OS packages model is not a good fit.
Speed is one - if you need to wait for your distro to package the latest version of a package, it might take quite a while.
Versioning is another one. On npm you have all the versions of the package what you need, but having tens of versions of the same package available and maybe installed (without conflicts) in the same OS at the system level seems a possible nightmare.
Which takes us too duplication of work. Why packaging N times each and every python package for N distros?
Finally, as Drew himself noted, some languages (Python in this case, not Rust) are simply not built in a way that makes OS packaging pleasant.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.