|
|
Subscribe / Log in / New account

PyTorch and the PyPI supply chain

PyTorch and the PyPI supply chain

Posted Jan 12, 2023 12:45 UTC (Thu) by khim (subscriber, #9252)
In reply to: PyTorch and the PyPI supply chain by bof
Parent article: PyTorch and the PyPI supply chain

> So why isn't there trusted language "distros" with trusted groups of maintainers curating that into trustable, separate repos meant for the "consumers" out there?

Because there are no “consumers”?

Developers want two things which can not be, obviously, satisfied simultaneouly:

  1. They want to be able to quickly get updates and bugfixes.
  2. They want to be able to be sure there are malicious code.

Distributions solve problem #2 well but entirely fail to handle #1. Language repos and AppStores solve #1 well, but suck at #2.

Since half a loaf is better than no loaf developers stick to what solves one problem and can half-ass the 2nd one rather than use something that fails entirely to solve half of the problem.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds