this post was submitted on 16 Jun 2026
50 points (100.0% liked)

libre

10206 readers
1 users here now

Welcome to libre

A comm dedicated to the fight for free software with an anti-capitalist perspective.

The struggle for libre computing cannot be disentangled from other forms of socialist reform. One must be willing to reject proprietary software as fiercely as they would reject capitalism. Luckily, we are not alone.

libretion

Resources

  1. Free Software, Free Society provides an excellent primer in the origins and theory around free software and the GNU Project, the pioneers of the Free Software Movement.
  2. Switch to GNU/Linux! If you're still using Windows in $CURRENT_YEAR, take Linux Mint for a spin. If you're ready to take the plunge, flock to Debian and design your dream system!

Rules

  1. Be on topic: Posts should be about free software and other hacktivst struggles. Topics about general tech news should be in the technology comm or programming comm. That doesn't mean all posts have to be serious though, memes are welcome!
  2. Avoid using misleading terms/speading misinformation: Here's a great article about what those words are. In short, try to avoid parroting common Techbro lingo and topics.
  3. Avoid being confrontational: People are in different stages of liberating their computing, focus on informing rather than accusing. Debatebro nonsense is not tolerated.
  4. All site-wide rules still apply

Artwork

founded 5 years ago
MODERATORS
 

Nearly 2000 packages affected now.

I'm starting to become sceptical of pacakge managers as a concept.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] PorkrollPosadist@hexbear.net 12 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

There is a substantial difference between distribution package repositories and systems like NPM. NPM just pulls shit from random third-party git repositories. NPM gets pwned every month because the weakest link in the chain is some javascript developer, and the chain has tens of thousands of links. On NPM (and other similar programming language package managers) if the upstream developer pushes a malicious update, you're already fucked. Could be a malicious developer, or it could be one of the credential-stealing ShitHub worms we've see go around.

Distribution package repositories are maintained and hosted by a third party (the distribution). If the upstream developer pushes a malicious update, nothing happens. If it is very well disguised, it could potentially slip into an unstable or testing branch, but there is also a time delay before things make their way from unstable to testing to stable, so there is a very high likelyhood the problem will be discovered before it hits the average person, assuming the maintainers don't spot it immediately. The xz-utils attack was discovered and mitigated before it could be exploited as a result of this due diligence - though it certainly was a wake-up call.

Another part of the problem with "convenient" PLPMs is that it allows developers to choose whatever version of a dependency they want, so on a good day you only end up with 10 different versions of each installed. It is all about expedience. A lot of more conventional software releases vendor their own dependencies in as well. Distribution package managers go through great lengths to un-bundle these dependencies, such that everything included in the repository is depending on the one version of e.g. librsvg they ship, rather than every rust package pulling in whatever random versions of the 300 crates they happen to have listed in their cargo.lock. This substantially lowers the attack surface and constrains the amount of places malicious code can be hidden or un-patched vulnerabilities can linger indefinitely.

Distribution package repositories aren't impervious, but they are substantially more secure than what's going on when you put thousands of random upstream developers in the drivers seat.

[โ€“] chgxvjh@hexbear.net 8 points 2 weeks ago

NPM just pulls shit from random third-party git repositories.

Nah, people upload packages to npm. Some of the attacks actually relied on attackers uploading different code to npm than to the linked git repos.