← Back to context

Comment by ozim

3 months ago

That's not package manager problem that's registry problem. NuGet is not having as many problems as NPM but also NPM is much more popular.

NPM is also quite a wild west when it comes to publishing packages, any kid can make an account and publish 'left-pad' kind of crap.

We already have quite safe and working setup with APT and software repositories for Debian, Ubuntu etc. While it is not so easy to publish your software to Debian, you get dedicated maintainer and all kinds of requirements you have to fulfill.

But this way all the issues with trust are if not mitigated, they are minimized and for example XZ Utils hack didn't make it to production systems and it took 3 years to prepare and pull it off.

4 comments

ozim

Reply
SideburnsOfDoom  3 months ago

> That's not package manager problem that's registry problem

I do not think that the two are cleanly separable. They are client and server ends of the same system.

And I think my point is that I view it as more of a server (registry) and governance problem than the OP author does.

Despite the fact that my employer also has an internal package feed, the security of nuget.org and the central public feed is intrinsic to the security of the whole system.

Nuget was closer to the NPM end of the spectrum, but has tightened up considerably over time. Particularly the "Package ID Prefix Reservations" feature tells me that package names that start with certain words are owned by the relevant entity, be it "System." or "Azure." from Microsoft, or "AWS" from Amazon.

This is important as it's used to distribute SDKs and optional but standard library components and updates.

There is certainly junk on there, but not much load-bearing junk.

  • ozim  3 months ago

    Article is discussing „package manager” as generic concept.

    My argument was that this concept is not the problem.

    Problem is in governance of NPM while NuGet or Maven are stricter and therefore it is registry governance problem.

    But on the other hand NPM is much more popular than any other registry.

    • SideburnsOfDoom  3 months ago

      > Article is discussing „package manager” as generic concept. My argument was that this concept is not the problem. Problem is in governance of NPM

      Then we're in agreement that the article's author has the wrong end of the stick, by focusing on the client end of the file transfer connection.

      1 reply →