| ▲ | vlovich123 6 hours ago | |
> Software distributions exist for a reason. They have maintainers, who are responsible for watching for stuff like this. And still completely missed the xzutils compromise. And I’m 90% sure those distribution maintainers don’t watch for stuff like this because they simply wouldn’t have the bandwidth to. I think they mostly rather just determine whether or not a software package is worth adding and maybe determining it initially and whether it has problems building. For example, the base available software in Arch is quite limited while the AUR is a choose your own adventure. | ||
| ▲ | octoberfranklin 2 hours ago | parent [-] | |
> And still completely missed the xzutils compromise. There's no comparison. That was the culmination of a three-year effort -- almost certainly state-backed. Stuff like that happens maybe three times a decade, and makes headlines. Meanwhile supply chain attacks against language-specific package managers are a monthly or perhaps even weekly event. There's no comparison. | ||