I wrote a post some time ago titled Developers shouldn’t distribute their own software, and after a discussion on the sr.ht IRC channel today, the topic seems worthy of renewed mention. Let’s start with this: what exactly is a software distribution, anyway?
I use “software distribution” here, rather than “Linux distribution”, because it generalizes better. For example, all of the major BSD systems, plus Illumos and others besides, are software distributions, but don’t involve Linux. Some differ further still, sitting on top of another operating system, such as Nix or pkgsrc. What these systems all have in common is that they concern themselves with the distribution of software, and thus are a software distribution.
An important trait of these systems is that they function independently of the development of the software they distribute, and are overseen by a third party. For the purpose of this discussion, I will rule out package repositories which are not curated by the third-party in question, such as npm or PyPI. It is no coincidence that such repositories often end up distributing malware.