| ▲ | ozim 3 days ago | |||||||||||||||||||||||||
That's not package manager problem that's registry problem. NuGet is not having as many problems as NPM but also NPM is much more popular. NPM is also quite a wild west when it comes to publishing packages, any kid can make an account and publish 'left-pad' kind of crap. We already have quite safe and working setup with APT and software repositories for Debian, Ubuntu etc. While it is not so easy to publish your software to Debian, you get dedicated maintainer and all kinds of requirements you have to fulfill. But this way all the issues with trust are if not mitigated, they are minimized and for example XZ Utils hack didn't make it to production systems and it took 3 years to prepare and pull it off. | ||||||||||||||||||||||||||
| ▲ | SideburnsOfDoom 3 days ago | parent [-] | |||||||||||||||||||||||||
> That's not package manager problem that's registry problem I do not think that the two are cleanly separable. They are client and server ends of the same system. And I think my point is that I view it as more of a server (registry) and governance problem than the OP author does. Despite the fact that my employer also has an internal package feed, the security of nuget.org and the central public feed is intrinsic to the security of the whole system. Nuget was closer to the NPM end of the spectrum, but has tightened up considerably over time. Particularly the "Package ID Prefix Reservations" feature tells me that package names that start with certain words are owned by the relevant entity, be it "System." or "Azure." from Microsoft, or "AWS" from Amazon. This is important as it's used to distribute SDKs and optional but standard library components and updates. There is certainly junk on there, but not much load-bearing junk. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||