I know I shouldn't say this but I'm grateful this happened. People treat this problem as unsolvable when it's absolutely not. Solutions like crev have existed for a long time but languages like rust and python devs never treat them as first class tools. They never bundle them with their official build tools so people don't use them and they use the flimsiest of excuses to justify not doing so.
Maybe this is the kick that lang devs needed to take dependency security seriously and finally make peer review mandatory for third party packages by default. If it doesn't, I hope we continue getting kicked in the balls until we do.
> People treat this problem as unsolvable when it's absolutely not.
The root problem is "I'm using software from hundreds of authors, how do I know I can trust all of them?". And that problem is indeed unsolvable. It's not even a technology problem.
And no, peer review is not the solution. Scientific fraud is still widespread despite peer review being the standard for many decades. Granted, there may be better approaches than the Wild West that is PyPI and NPM, but this problem will never go away completely.
Are you honestly telling me that a package that was reviewed and signed off by three reputable developers is practically susceptible to "Scientific fraud"? If you do, then I can see why you think this problem is unsolvable.
You will never have a theoretically perfect solution to this problem, but guess what: turns out you don't have to. Even single-reviewer systems like linux repositories have proven to be vastly more secure than this crap.
This problem is absolutely solvable and eventually it will be. I just hope they solve it the right way.
>Are you honestly telling me that a package that was reviewed and signed off by three reputable developers is practically susceptible to "Scientific fraud"?
Yes? Especially if it's pulling in dependencies written by a bunch of other people because then it doesn't require malicious action by those three reputable devs, but merely negligence on their part in how those dependencies (and any updates etc. to them) are managed.
Of course negligence causes the system to fail. That's why people rely on REPUTABLE developers; that is, those who have a long history of doing good, thorough reviews. In practice, even single-reviewer systems have proven to be enough to keep entire package ecosystems secure (linux package maintainers).
I encourage you to do more research on this topic.
Maybe this is the kick that lang devs needed to take dependency security seriously and finally make peer review mandatory for third party packages by default. If it doesn't, I hope we continue getting kicked in the balls until we do.