This literal example is actually addressed by the Debian example - the security team has powers to shuttle critical CVEs through but it’s a manual review process.

There’s a bunch of other improvements they call out like automated scanners before distribution and exactly what changed between two distributed versions.

The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing

▲

calpaterson 2 days ago | parent | next [-]

> The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing

That is indeed an oversight - I wish I had thought of that idea!

▲

vlovich123 a day ago | parent [-]

No worries. Feel free to popularize it. I’m more worried about supply chain security than credit :).

	▲	vlovich123 20 hours ago \| parent [-]
		Also rather than a UUID a hash of the package name is probably sufficient for back compat and avoiding people trying to rotate UUIDs to get sooner / later distribution.

▲

LtWorf 2 days ago | parent | prev [-]

But the whole point of using pypi and npm is because distributions are a thing that only old graybeard boomers use.