1 |
On 2022-02-09 23:16, Robin H. Johnson wrote: |
2 |
> Yes, Go is the biggest nail sticking out right now, but it's a growing |
3 |
> problem overall. |
4 |
> - Golang modules |
5 |
> - Rust crates |
6 |
> - NodeJS modules |
7 |
> - Texlive packages |
8 |
> |
9 |
> |
10 |
> Third party systems would be required to provide suitable security on |
11 |
> their distfiles. Go & Rust do. I think NodeJS & Tex don't, but I'm happy |
12 |
> to be proven wrong. |
13 |
|
14 |
package.lock files have "integrity" keys: |
15 |
https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json#integrity |
16 |
|
17 |
Texlive repository files (texlive.tlpdb) have checksums of every package |
18 |
in them |