Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

> Git != Github

That's why I'm putting emphasis on it, because to Go it is.

And to languages that actually have centralized package repositories it isn't. There is a difference between code and packages and Go simply does not have the latter (in the traditional sense - what Go calls a package is a collection of source files in the same directory that are compiled together within a module (a module is a collection of packages (again, code) that are released, versioned, and distributed together. Modules may be downloaded directly from version control repositories or via proxy servers)).

To the other languages mentioned above, packages may have binaries, metadata and special script hooks. There is a package manager like pip , cargo or npm and if you want to install one, you won't have to specify a URL because there is a canonical domain to go to.

Go just knows code and it'll use git, hg or even svn. And if you want to claim that lots of open-source code being on GitHub makes it special, then

> GitHub is every single programming language's centralized package repository

and

> Someone at Microsoft with root access could compromise every user of every single programming language

I think you're being silly to be so insistent about this. 95% of Go packages are hosted on Github, a centralized hosting platform. The fact that they install via the git protocol (or do they? do they just use https to check out?) is immaterial.

95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

> what Go calls a package is a collection of source files in the same directory

What is it that you imagine Python or NPM packages consist of? Hint: A Python .whl file is just a folder in a zip archive (Python also supports source distributions directly analogous to Go)

[0] https://docs.astral.sh/uv/concepts/indexes/

[1] https://thelinuxcode.com/install-git-repository-branch-using...

> 95% of Go packages[=code, the author] are hosted on Github

So "GitHub is every single programming language's centralized package repository, because lots of code is hosted there" ?

> Python supports installing from other non PyPI indexes > 95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

And yet there is a clear difference between source distributions and pip/npm/rubygem/cargo packages - and between tooling/ecosystems that ONLY support the former and those that MAY use either and unfortunately mostly use the latter.

> What is it that you imagine Python or NPM packages consist of?

Something like a script that runs as part of the package that downloads a tarball, modifies package.json, injects a local bundle.js and runs npm publish (see this post). Usually also hosted at the default, centralized, authoritative source run by the maintainers of the package management tool.

But I'm repeating myself.

> (or do they? do they just use https to check out?)

Maybe try it out or read the docs first.

I'm closing with this:

> NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

is either wrong or disingenuously misleading, requiring nothing to apply to every single thing, depending on how you slice your definitions. It does not hold any water, that is my entire argument.

k, let me know how your CI pipeline fares the next time there's a Github outage and we can revisit this discussion of Go's fantastic uniquely decentralized dependency management.