Comment by Ygg2

4 days ago

> countless articles explaining what should be done instead (e.g. https://news.ycombinator.com/item?id=41727085#41727410

> Centralized package managers only add a layer of obfuscation that attackers can use to their advantage.

They add a layer of convenience. C/C++ are missing that convenience because they aren't as composable and have a long tail of pre-package manager projects.

Java didn't start with packages, but today we have packages. Same with JS, etc.

2 comments

Ygg2

Reply
eichin  4 days ago

Or from another angle, dpkg/apt is the package manager for C/C++ ...

  • Ygg2  3 days ago

    Yeah, but it's not immune to supply chain attacks. Counting on maintainers of dpkg is not that different from counting on maintainers of random crate package.