[kwlug-disc] NPM supply chain worm
Khalid Baheyeldin
kb at 2bits.com
Thu Sep 18 14:07:54 EDT 2025
On Thu, Sep 18, 2025 at 9:52 AM Jason Locklin via kwlug-disc <
kwlug-disc at kwlug.org> wrote:
> Speaking of "watering holes" and supply chains, for those of us not neck
> deep in Linux software distribution, it's getting very difficult to follow
> all the different software sources. Years ago, I mostly just used the
> debian repos for everything (and CRAN - because dayjob)*. Now, we have all
> the container type repos and so many projects seem to heavily recommend one
> or another to keep up. Because of the convenience of docker-compose, docker
> is a big one, but I've used nix, flatpak, snap, and those language specific
> managers like npm, cargo, pip(x), etc. Unfortunately, I've seen "curl to
> bash" come up a lot more lately with small hobby projects too (I've
> occasionally run this with distrobox to at least contain it).
>
> So my question is, what is your decision tree for choosing sources to
> install software from? How trustworthy do you consider the various sources?
> Any no-go's?
For me, I tend to use Ubuntu's repositories exclusively (which are mostly
Debian, plus some other stuff).
But a long time ago (~ 20+ years) it became apparent that exceptions have
to be made.
It started with Drupal. Because it is fast moving, a Debian package becomes
obsolete within months.
My current policy is to stick with Ubuntu repositories, unless there is a
very good reason to install through another channel.
Snap is the first thing I uninstall on an Ubuntu machine (whether servers
or desktops), so nothing from there.
Python pip is used for some applications that I wrote, but those are not
net facing, so security is not much of a concern.
Home Assistant now runs as docker-compose images, because the project
forced this as the only practical method for those who don't want to
install HAOS (a custom operating system just for Home Assistant).
I don't go crazy with containers otherwise, despite this being fashionable
nowadays.
For example, the 'normal way' of running Home Assistant on a Raspberry Pi
that has Ubuntu Server 24.04 LTS, would require several other images in
docker (MySQL, InfluxDB or VictoriaMetrics, Grafana, and much more).
I opt to run these from Debian packages, and drop any that don't have such
an option (e.g. VictoriaMetrics, but also for other reasons such as
inability to delete rows that have erroneous values).
Yes, it is a complicated world we have now (on so many levels, not just
software or FLOSS) ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250918/5baede98/attachment.htm>
More information about the kwlug-disc
mailing list