Package Manager Security

Not really, individual package developers don't have as much inmediate control over the repository's state as they do with NPM. Packages go through a review by one of the trusted developers and sometimes automated QA and testing (including as of late reproducibility testing, i.e. does the source match the binary?), before being uploaded to the repository.If you can't trust the team behind the distro, then sure, your supply chain is compromised, but it's significantly less

Couldn't I just publish a package? Then there's malware on the package manager wohooo

Packages are written by people not algorithms. People you have to explicitly trust to install the package.

Not quite true. Not all packages are created equal. For example anything from PyPI, npm, Ruby Gems, and Homebrew is suspect. On the other hand Debian/Ubuntu or Red Hat repo's are likely much more trustworthy since they have actual paid trusted maintainers who review the source code.

People install Linux by picking a distribution to install. The maintainers of the distributions look at the packages they're including. For example, this broken colors package will never end up in any of them, because there are gatekeepers.It's certainly impractical for every developer to vet every package they use, so much so that almost no developers vet any of the packages they use. What's needed are more gatekeepers. Repos like NPM would be well-served by coming up with mec

It's not just npm, you should also not trust pypi, rubygems, cargo and all the other programming language package managers.They are built for programmers, not users. They are designed to allow any random untrusted person to push packages with no oversight whatsoever. You just make an account and push stuff. I have no doubt you can even buy accounts if you're malicious enough.Users are much better served by the Linux distribution model which has proper maintainers. They take respo

It's often the case with software "repositories". Pypi, npm, Maven... Security is expensive.An organisation needs money, on-staff security professionals, and (of course) lawyers to explicitly commit to maintaining a package system.Even MAAMAN (was FAANG) app stores have been exploited.FYI your second link is broken or dead.

If I need software not found in my upstream repos you have 3 options:1. Packaged by the developer/publisher, see Virtualbox, Spotify, Chrome, Slack etc...2. Packaged by a single 3rd party, see PPAs3. A central 3rd party repo populated by anyone, NPM, AUR, pip, Snap/Flatpak etc..Case 1: I have to trust the developer/publisher which is sensible, you're already trusting their code to run.Case 2: I have to trust some random 3rd party, sometimes this is possible, so

Nothing. Does your threat model assume 100% trust in your distro? I understand saying you trust it a lot more than the garbage on npm. But if your trust is anything less than 100%, you are balancing risk and benefit.

It improves usability only. It also creates false perception of security. Malware already found in NPM packages, AUR packages, and other packaging systems without maintainers.