Log4Shell was hardly a supply-chain attack - just a latent bug in a widely-used library. That can happen anywhere.

Maven to this day represents my ideal of package distribution. Immutable versions save so much trouble and I really don't understand why, in the age of left-pad, other people looked at that and said, "nah, I'm good with this."

Other languages have package managers (perl) and there are package managers in existence that are not so vulnerable to this issue. IMO, it stems from one place: Transitive dependencies and general opaqueness of the issue.

In package managers like pacman, apt, apk,... it's easier to catch such issue. They do have postinstall scripts, but it's part of the submission to the repo, not part of the project. Whatever comes from the project is hashed, and that hash is also visible as part of the submission. That makes it a bit difficult to sneak something. You don't push a change, they pull yours.

Log4Shell was not a supply chain attack.

Come on dude. The issue is the frequency and magnitude of these attacks. Log4Shell was also not a supply chain attack.

I looked at the Rust one for example, which is literally just a malicious crate someone uploaded with a similar name as a popular one:

> The crate had less than 500 downloads since its first release on 2022-03-25, and no crates on the crates.io registry depended on it.

Compared to Axios, which gets 83 million downloads and was directly compromised.

What an extremely disingenuous argument lol

C++ ftw