On Thu, Jan 29, 2026 at 04:06:54PM -0500, [email protected] wrote: [packaging systems, Debian vs. Maven]
Debian is a binary distribution. Maven (and npm, which resembles it somewhat) is a source distribution (for Java and, more, for javascript, you don't "see" it thanks to the mantra "compile once, run everywhere -- a friend of mine spelled that, back then, tongue in cheek "compile once, test everywhere, oh, well). At the end, it runs down to where your trust envelope is. Debian is a binary distribution. Packages are centrally managed. Some packages (those on which many others depend on) tend to come in one version (think libc) -- it's the packager's very job to make sure their package plays well with it. To see the advantages of such an approach, just imagine a security flaw sneaking into one of those basic packages: publishing a fix to that one fixes it for all of the distro's users (for a concrete example, think the XZ utils backdoor [1]). The Maven (or npm, for that) model pushes the responsibility to the perifery, the ones taking the brunt are not experienced packagers, but some small website outfits out there not having the time or resources to even enumerate (let alone assess) the mountain of packages they're sitting on (been there, done that). Therefore, in this case, a malicious event tends to be more "interesting". Think shai-hulud, for example [2a], [2b] (thousands of repos affected, a ton of secrets exfiltrated), which also managed to find a new life in Mave [3]. Now I'm not writing this as a simplitic "binary distribution good, source distribution bad" rant: I just wanted to show one of the many facets of this design space. Source distros do have their advantages, too. My point is rather that it's not a technical problem, but a social one. You pick and choose the tech which fits the social structure you (want to) have, not the other way around. Cheers [1] https://en.wikipedia.org/wiki/Xz_backdoor [2a] https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html [2b] https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html [2c] https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html -- t
signature.asc
Description: PGP signature
