> Distro packages have to be approved by a human which adds a huge amount of admin overhead, delays and so on. I don't think anyone in most programming language communities wants that.
Yes, and distro users complain that software isn't updated fast enough. Then you give them faster updates, and it breaks, and they complain more. If malware made its way in, they'd complain much more. On balance, security is much better for everyone than bleeding edge.
> You can automatically scan for similar packages with similar names and wildly different download counts and just ask the user "are you sure you didn't mean httplib?"
When? When they've already edited their requirements.txt file, committed, pushed Git, and it's building on the CI server? You can't depend on developers to figure out if they meant httplib or httpiib or httplib (unicode character spoofing). It's too easy to quickly choose the wrong thing, and the consequences can be dire. The wrong thing should simply never make it into stable repos, period.
Yes, and distro users complain that software isn't updated fast enough. Then you give them faster updates, and it breaks, and they complain more. If malware made its way in, they'd complain much more. On balance, security is much better for everyone than bleeding edge.
> You can automatically scan for similar packages with similar names and wildly different download counts and just ask the user "are you sure you didn't mean httplib?"
When? When they've already edited their requirements.txt file, committed, pushed Git, and it's building on the CI server? You can't depend on developers to figure out if they meant httplib or httpiib or httplib (unicode character spoofing). It's too easy to quickly choose the wrong thing, and the consequences can be dire. The wrong thing should simply never make it into stable repos, period.