[majewsky]

> We rejected distro-controlled package management in favor of pip and gem and npm years ago (for good reasons)

While I'm generally a fan of distribution-provided packages, they would not have helped in this case. Distributions simply lack the manpower to audit all upstream releases for these kinds of issues.

[hyperpape]

This gem was published six days before it was found, which means that the effectiveness of the attack seems to have relied on it being picked up by people doing automatic upgrades. Wouldn't a distro help because it fundamentally is less predictable about when it takes a new version?