Comment by Ygg2

> No? They caught it!

No? Who else has 2-3 years worth of time to become a contributior and maintainer for obscure OSS utils?

Plus made sockpuppets to put pressure on OG maintainer to give Jia Tan maintainer privilege.

> Exactly. Not sure how you think this makes the point different. Everything in Debian is volunteer, the fact that people do other stuff is a bonus.

What you mean exactly? This isn't curation working as intended. This is some random dev discovering it by chance. While it snuck past maintainers and curator of both Debian and Red Hat.

> Everything in Debian is volunteer, the fact that people do other stuff is a bonus. Point is the debian community is immunized against malicious software because everyone is working on validation downstream of the authors.

You can do same in NPM and Cargo. Release a v1.x.y-rc0, give everyone a trial run, see if anyone complains. If they do, it's downstream validation working as intended.

Then yank RC version and publish a non-RC version. No one is preventing anyone from making their release candidate version.

> No one does that for NPM. There is no Cargo Rawhide or NPM Testing

Because, it makes no more sense to have Cargo Rawhide than to have XZ utils SID.

Cargo isn't an integration point, it's infra.

Bevy, which integrates many different libs, has a Release Candidate. But a TOML/XYZ library it uses doesn't.