Comment by latable

So now we feel the need to add malware protection into the CI, like we put comodo on windows 7 and pray while surfing shady torrent websites ? It is pretty ironic that an extra tool used to protect against threats gets compromised and creates an even bigger threat. Some here talks about better isolation during development, CI, but the surface area is huge, and probably impractical. Even if the CI is well isolated, the produced package is compromised.

What about reducing the number of dependencies ? Integrating core functionalities in builtin language libraries ? Avoiding frequent package updates ? Avoiding immature/experimental packages from developers of unknown reliability ?

Those issues are grave. I see no future when those get rarer, and I am afraid they may wipe the open-source movement credibility.