[woodruffw]

I don't think the model is broken; a latent assumption within the model has always been that you vet your packages before installing them.

The bigger problem is that people want to have their cake and eat it too: they want someone else to do the vetting for them, and to receive that added value for no additional cost. But that was never offered in the first place; people have just sort of assumed it as open source indices became bigger and more important.

[andrewaylett]

There's a whole industry full of people who will charge you for them to do at least a smidge of vetting. And it's not entirely snake oil: finding and publishing vulnerabilities is good advertising.

I might find the likes of Snyk somewhat annoying when I'm required to have them audit projects at work (they aren't as good as Renovate or even Dependabot at raising version bumps, and most of the alerts are false positives for our environment) but I mostly appreciate that they exist.

[codedokode]

That's actually what Linux distributions provide free of charge: a list of verified packages. However, a sustainable solution would be a commercial vendor (like Kaspersky for example) providing a safe feed of packages on a paid basis.

[woodruffw]

> That's actually what Linux distributions provide free of charge: a list of verified packages

That's true in the sense that distros tend to provide digital signatures. But we're talking asserting the actual security of packages, not just that they were quickly looked at by a trusted party.

And again, that's not somehow blameworthy: they're providing significant value even without asserting the security of packages.

(And don't take my word for this: take it from the distro maintainers in this very thread, as well as elsewhere[1].)

[1]: https://www.reddit.com/r/linux4noobs/comments/1c6i3je/are_al...

[ajross]

> a latent assumption within the model has always been that you vet your packages before installing them

That is precisely the broken part. There are thousands of packages in my local python venv. No, I didn't "vet" them, are you serious? And I'm a reasonably expert consumer of the form!

[woodruffw]

On re-read, I think we're in agreement -- what you're saying is "broken" is me saying "people assuming things they shouldn't have." But that's arguably not a reasonable assumption on my part either, given how extremely easy we've made it to pull arbitrary code from the Internet.

[jowea]

Just have faith in Linus' Law.