| ▲ | oulipo2 5 days ago | |
Sure, but there's plenty of packages with well-known maintainers who get compromised... | ||
| ▲ | haswell 5 days ago | parent [-] | |
The fact that something can happen is separate from how likely that thing is to happen, and that’s what matters here. The comments here that point to this theoretical possibility seem to be missing the point, which is that using something like bubblewrap is an improvement over running arbitrary projects un-sandboxed, and the likelihood of such an attack is far less than the likelihood of any one of hundreds of rapidly evolving, lesser known, lesser scrutinized projects getting compromised. | ||