Comment by vlovich123

10 days ago

This literal example is actually addressed by the Debian example - the security team has powers to shuttle critical CVEs through but it’s a manual review process.

There’s a bunch of other improvements they call out like automated scanners before distribution and exactly what changed between two distributed versions.

The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing

4 comments

vlovich123

Reply
calpaterson  10 days ago

> The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing

That is indeed an oversight - I wish I had thought of that idea!

  • vlovich123  9 days ago

    No worries. Feel free to popularize it. I’m more worried about supply chain security than credit :).

    • vlovich123  8 days ago

      Also rather than a UUID a hash of the package name is probably sufficient for back compat and avoiding people trying to rotate UUIDs to get sooner / later distribution.

LtWorf  9 days ago

But the whole point of using pypi and npm is because distributions are a thing that only old graybeard boomers use.