most distributions¹ don't allow random people to upload software to their repositories, which is the vector used by most of those attacks; instead there are at least basic quality checks and reputation based incentives to prevent obviously malicious code from entering the distribution.
¹ yes, I know about AUR. you're not supposed to use AUR in production. yes, people do, like they use pypi etc. in production.
I meant that there are reasons why the OS packages model is not a good fit. Speed is one - if you need to wait for your distro to package the latest version of a package, it might take quite a while. Versioning is another one. On npm you have all the versions of the package what you need, but having tens of versions of the same package available and maybe installed (without conflicts) in the same OS at the system level seems a possible nightmare. Which takes us too duplication of work. Why packaging N times each and every python package for N distros? Finally, as Drew himself noted, some languages (Python in this case, not Rust) are simply not built in a way that makes OS packaging pleasant.
Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.
typish
in reply to federico • • •Elena ``of Valhalla''
in reply to typish • •most distributions¹ don't allow random people to upload software to their repositories, which is the vector used by most of those attacks; instead there are at least basic quality checks and reputation based incentives to prevent obviously malicious code from entering the distribution.
¹ yes, I know about AUR. you're not supposed to use AUR in production. yes, people do, like they use pypi etc. in production.
federico likes this.
typish
in reply to Elena ``of Valhalla'' • • •Speed is one - if you need to wait for your distro to package the latest version of a package, it might take quite a while.
Versioning is another one. On npm you have all the versions of the package what you need, but having tens of versions of the same package available and maybe installed (without conflicts) in the same OS at the system level seems a possible nightmare.
Which takes us too duplication of work. Why packaging N times each and every python package for N distros?
Finally, as Drew himself noted, some languages (Python in this case, not Rust) are simply not built in a way that makes OS packaging pleasant.