| ▲ | woodruffw a day ago | |||||||||||||
I don't think the model is broken; a latent assumption within the model has always been that you vet your packages before installing them. The bigger problem is that people want to have their cake and eat it too: they want someone else to do the vetting for them, and to receive that added value for no additional cost. But that was never offered in the first place; people have just sort of assumed it as open source indices became bigger and more important. | ||||||||||||||
| ▲ | andrewaylett 3 hours ago | parent | next [-] | |||||||||||||
There's a whole industry full of people who will charge you for them to do at least a smidge of vetting. And it's not entirely snake oil: finding and publishing vulnerabilities is good advertising. I might find the likes of Snyk somewhat annoying when I'm required to have them audit projects at work (they aren't as good as Renovate or even Dependabot at raising version bumps, and most of the alerts are false positives for our environment) but I mostly appreciate that they exist. | ||||||||||||||
| ▲ | codedokode a day ago | parent | prev | next [-] | |||||||||||||
That's actually what Linux distributions provide free of charge: a list of verified packages. However, a sustainable solution would be a commercial vendor (like Kaspersky for example) providing a safe feed of packages on a paid basis. | ||||||||||||||
| ||||||||||||||
| ▲ | ajross a day ago | parent | prev [-] | |||||||||||||
> a latent assumption within the model has always been that you vet your packages before installing them That is precisely the broken part. There are thousands of packages in my local python venv. No, I didn't "vet" them, are you serious? And I'm a reasonably expert consumer of the form! | ||||||||||||||
| ||||||||||||||