this post was submitted on 14 Jun 2026
160 points (97.6% liked)

Linux

14231 readers
435 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] brucethemoose@lemmy.world 1 points 3 weeks ago

there is at least an implicit tree of trust, with each dependant in a dependency tree doing at least some minimal vetting of dependencies.

Depends.

Unless every single dependency is version locked, one update or maintainer change can silently compromise the whole chain. Obviously this is a problem for AUR (as Arch is a single rolling release), but it can hit Rust and PyPi in a similar way.

And a strict “version locking” ethos can lead to security problems down the line, too.

Also, in this case, they exploited PKGBuild an npm, yes. But I think that was just out of convenience. It’s easy to sneak some malware downloader into a long Rust dependency chain, even if it’s technically all open code.