I'll note that OpenSuse also has Packman which a shitton of people enable (for codecs), has also 'one namespace only' an looser policies than the main distro.
I do not think this something you can escape by switching distro.
I'll note that OpenSuse also has Packman which a shitton of people enable (for codecs), has also 'one namespace only' an looser policies than the main distro.
I do not think this something you can escape by switching distro.
Zypper at least has a notion of "vendor", so you can arrange things so that only the handful of packages you care about will actually come from Packman.
Ubuntu actually has first-party repositories with proprietary codecs.
Nixpkgs is a pretty comprehensive monorepo of packages with a more normal review process than the AUR, and it includes non-free software as well, plus the model with flakes for third-party stuff is that you trust individual publishers for their little repos rather than one giant grab bag repo of unreviewed content like the AUR.
RPMFusion for Fedora kinda has a similar profile, in that it's a shared repo for various things unsuitable for the main one, but it follows more or less normal Fedora packaging and review standards, doesn't it?
Supply chain attacks are possible everywhere and some distros have particular weaknesses, but the AUR really is pretty much uniquely bad here.
Nix also forces builds to be sandboxed. Now you actually need to run an infected build output to be affected.
I use Gentoo. You have to specifically install "overlays" and every package maintainer would make their own overlay. You can't easily take over an overlay without the original person's permission.
That being said, still one namespace. Once you add an overlay it can replace any package it wants.
It's also Gentoo so too hard for most people to figure out.
[dead]
Yes, the only reason this isn't happening in other distros is simply popularity.
Namespacing is the solution, and as mentioned in the article some ditros do indeed have namespaced user repos, like Fedora's Copr. The trust model of a flat namespace user repo is completely broken when the maintaining user can change at any moment.
Isn't Arch's AUR flat namespace quite unique? Ubuntu's PPAs are also not flat.
openSUSE's OBS and Gentoo's overlays aren't a single shared repo either.
Packman is more akin to rpmfusion, than AUR. OBS is the AUR equivalent for OpenSUSE.
"One namespace" is also technically true but doesn't work the same way with dnf or zypper as it does with pacman. dnf and zypper both make it easy to be explicit about the priorities of your repos and also to track which packages come from which repos and prevent that from changing. Plus openSUSE has a generously free public instance of the Open Build Service that you can easily use to host your own repos, and which hosts many individual repos you can add for specific purposes. When I ran openSUSE I always just ran my own repo there with only the extra packages I actually wanted, often just "forking" packages from repos hosted by well-known openSUSE developers so that I didn't have to manage updating the source packages myself but still didn't pull in the whole world from those repos and also didn't implicitly trust anything as loose as the AUR.
OBS is more like Ubuntu's Launchpad or Fedora's CO0R than the AUR. Random strangers can't take over the packages of others just because they go idle, and it's a bunch of separate repos, not one. Totally different trust model.