DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware

[greatgib]

What is funny is again how many "young developers" had fun at old timers package managers like Debian being so slow to release new versions of packages.

But never ever anyone was rooted because of malware that was snuck into an official .deb package.

That was the concept of "stable" in the good old time, when software was really an "engineering" field.

[SahAssar]

> But never ever anyone was rooted because of malware that was snuck into an official .deb package.

We got pretty close with the whole XZ thing. And people generated predictable keys due to a flaw in a debian patch to openssl.

This stuff is hard and I'm not saying that npm is doing well but seems like no large ecosystem is doing exceptionally well either.

[cenamus]

I'd say jus about every major linux dist is doing about 2 orders of magnitude better than npm

[zahlman]

> But never ever anyone was rooted because of malware that was snuck into an official .deb package.

Sure. The tradeoff is that when there's a zero-day, you have to wait for Debian to fix it, or to approve and integrate the dev's fix. Finding malware is one thing; finding unintentional vulns is another.