Salta al contenuto principale

Drew DeVault on software supply chain attacks.
# # # # #
https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html

When will we learn?

drewdevault.com
#pypi #npm #Nimble #aur #cargo
in reply to federico

typish
typish
yes, that is a problem, but I don’t see how OS packages can be a solution.
in reply to typish

Elena ``of Valhalla''
Elena ``of Valhalla''
most distributions¹ don't allow random people to upload software to their repositories, which is the vector used by most of those attacks; instead there are at least basic quality checks and reputation based incentives to prevent obviously malicious code from entering the distribution.

¹ yes, I know about AUR. you're not supposed to use AUR in production. yes, people do, like they use pypi etc. in production.
in reply to Elena ``of Valhalla''

typish
typish
I meant that there are reasons why the OS packages model is not a good fit.
Speed is one - if you need to wait for your distro to package the latest version of a package, it might take quite a while.
Versioning is another one. On npm you have all the versions of the package what you need, but having tens of versions of the same package available and maybe installed (without conflicts) in the same OS at the system level seems a possible nightmare.
Which takes us too duplication of work. Why packaging N times each and every python package for N distros?
Finally, as Drew himself noted, some languages (Python in this case, not Rust) are simply not built in a way that makes OS packaging pleasant.

Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.