[kwlug-disc] NPM supply chain worm

[Jason Locklin]

Speaking of "watering holes" and supply chains, for those of us not neck deep in Linux software distribution, it's getting very difficult to follow all the different software sources. Years ago, I mostly just used the debian repos for everything (and CRAN - because dayjob)*. Now, we have all the container type repos and so many projects seem to heavily recommend one or another to keep up. Because of the convenience of docker-compose, docker is a big one, but I've used nix, flatpak, snap, and those language specific managers like npm, cargo, pip(x), etc. Unfortunately, I've seen "curl to bash" come up a lot more lately with small hobby projects too (I've occasionally run this with distrobox to at least contain it).

So my question is, what is your decision tree for choosing sources to install software from? How trustworthy do you consider the various sources? Any no-go's?

*if anyone on here is part of the folk maintaining the csclub mirror over the years, I have no end of thanks.