[marcus_holmes]

This is a false equivalence brought up every time anyone mentions how vulnerable the npm/gems/pip ecosystems are to supply chain attacks.

Linux code is always reviewed before deployment, goes through many eyeballs, people are careful about this. The same is not true of npm, or any of the other services (as this event clearly shows).

[0x0nyandesu]

Eh that's not true. I use Gentoo so trust me most things are run by little dictators of their own little fiefdoms.

I'm talking about not just the kernel but all the various other things from libraries to servers to tools and everything in between.

[marcus_holmes]

OK, but none of those little fiefdoms are "Linux".

[0x0nyandesu]

I literally said the Linux stack which includes everything from the kernel to init to libs. You can't run just the kernel.

[marcus_holmes]

It's still a false equivalence. You'll agree that all the important bits of the Linux Stack are audited and reviewed by multiple people, right?

[smorgusofborg]

Parts of the Linux stack equivalent to colors and faker are carefully audited and reviewed by multiple people? That sounds to me like elevating them to important bits in a false equivalence.

[mannykannot]

When it comes to security (among other things), one simply cannot say that all the important bits are in the kernel. If that were the case, there would not be an issue to discuss here.

[0x0nyandesu]

Lol hell no. You're joking right?