On Sat, 13 Jun 2026 at 10:58, Ralf Mardorf <[email protected]> wrote:
> On Sat, 2026-06-13 at 10:28 +0100, Andy Pieters wrote: > > After all it is far better to make decisions when emotions have cooled > > down and the clearl light of day shines upon it. > > Hi, > > it seems you've completely misunderstood me. > guilty as charged :-P > I didn't write this out of emotion. This isn't about AUR Helper either. > I'm talking about package management via npm, pip, and similar tools, > and the fact that issues like micro-package madness, the left-pad > incident, and supply-chain attacks and and and have been a concern for a > long time. > > I would prefer a method where everything is installed exclusively > through a distribution's package manager, in our case, pacman, so that > it can be completely uninstalled without any issues and can be installed > anytime it's needed, https://en.wikipedia.org/wiki/Npm_left-pad_incident > . > I do tend to favour installing pacman versions of python-, node-, etc but I'm not sure if it's feasible to have a maintainer for each and every possible package not to mention keep them all to the latest version required by the software's own manifests.... But yes, supply-chain-attacks are here to stay and some mechanism must be implimented to deal with
