The AUR is user supported and thus malware sneaks into packages all the time, although admittedly not to this scale. Still, it's pointedly not secure and has always had "here be dragons" signs plastered all around it.
QuickBasic, the commercial version of QBASIC, also supported BI files. These could be used to bundle shared code for things like high-precision timers, interrupt usage, etc.
Linux distributions are. They all have maintainers who vet packages and take responsibility for them. Arch Linux does too. The inherent untrustworthiness of the AUR was always made explicit by the Arch Wiki and the culture surrounding it, unlike programming language package managers like npm and pip.
Having trusted community members vet packages is a good system, but how much does it really scale?
1. The whole point of the AUR is that the demand for packages outstrips the volunteer effort to provide secure packages.
2. There are about a dozen major package systems for Linux, with a lot of duplicated effort in packaging the same software for slightly different systems in slightly different formats.
> Who is doing package management right these days? Who is doing it securely?
The malware was limited to package sources that I understand to be disabled by default, if you're using Arch Linux. These package sources carry clear warnings that the packages they provide are controlled by third-parties and entirely unvetted by the distro maintainers. [0][1]
If your assertion is that any package management system that permits the installation of packages that aren't vetted by the maintainers of the -er- OS that uses that package management system is "not doing it securely", then the only one that's even vaguely "doing it securely" is Apple's iOS.
I'm of the opinion that permitting users of a general-purpose computer to install arbitrary software is a good thing, and is pretty much the entire point of a general-purpose computer. I'd call computers that make that effectively impossible "appliances". There's very definitely a place for appliances, [2] but seeking to turn every computer into an appliance is massively destructive.
[2] Reliable computers that you never have to think about because they simply never fail to perform the useful tasks they were designed to do are great.
There are definitely LTS distros where the official packages are not updated ASAP. Npm lets package authors publish new versions to all users immediately. Anything that doesn’t allow that is better. Some distros only incorporate patch/security updates for example.
AUR is worse, in that there may not be official authors and you can take over releases of a package. Like, you’ll have random users publishing the release for some application that doesn’t have their own Arch release. And if that user disappears, someone else may take it over
We’re using an internal package repository that acts as a gateway to the public package repositories, except it can have custom rules such as “min release age 30 days”, and can also give logs about which projects have actually downloaded a specific version.
It’s so much overhead and auditing to enforce compliance across the thousands of node microservices though.
And you and me would be better off for it. You can rely on such insanely complex technologies that have required millions of man hours to develop in which even the most knwoledgable will lack a complete understanding, or you can live within your station.