|
|
|
|
|
|
by ajross
492 days ago
|
|
|
> When people delegate their brains to others I dunno, Linux distros have a pretty good track record at the same problem, over multiple decades of evidence. The difference is that they don't allow self-publication. Canonical and Red Hat et. al. work downstream of an active community of developers cross-attesting good software. So their problem becomes "This software is known to be good, let's package it!". So to get malware into the machines of users it's not enough to fool the users, you need to fool the packagers too. And it happens, but very rarely (c.f. the xzutils mess from last year). Node and similar repositories thought they could short-circuit that process, and as has been extensively documented, it doesn't work because users are too lazy to authenticate their own software. |
|
|