> What are actual things that crates.io or npm could do but aren’t to improve the security of the ecosystem?

Go back to the distribution/maintainer model. It worked. But it requires that developers slow down the rate of (non-alpha/beta/rc) releases until it matches the maintainer capacity of major software distributions. This is bitter medicine, but it's the solution.

Software distributions exist for a reason. They have maintainers, who are responsible for watching for stuff like this. Unmoderated language-specific registries have encouraged a massive degree of churn. This churn is incompatible with maintainer review, which is why a lot of distributions have basically given up on language-specific registries.

▲

vlovich123 6 hours ago | parent [-]

> Software distributions exist for a reason. They have maintainers, who are responsible for watching for stuff like this.

And still completely missed the xzutils compromise.

And I’m 90% sure those distribution maintainers don’t watch for stuff like this because they simply wouldn’t have the bandwidth to. I think they mostly rather just determine whether or not a software package is worth adding and maybe determining it initially and whether it has problems building. For example, the base available software in Arch is quite limited while the AUR is a choose your own adventure.

	▲	octoberfranklin 2 hours ago \| parent [-]
		> And still completely missed the xzutils compromise. There's no comparison. That was the culmination of a three-year effort -- almost certainly state-backed. Stuff like that happens maybe three times a decade, and makes headlines. Meanwhile supply chain attacks against language-specific package managers are a monthly or perhaps even weekly event. There's no comparison.