It's not only the packager. Some distros have an actual security team. That does not mean they audit everything, but it's vastly better than getting random code from PyPi.
The point is that if you pull 100 dependencies from PyPi, you have absolutely no idea who you are trusting unless you put the effort to go check those 100 dependencies.
If you link to dependencies that you get from Canonical, then you know that a security team is caring about the packages that Canonical distributes and actually patches them. Who patches security issues in PyPi? The individual package maintainers, which may well be pushing a malware leveraging typo-squatting. Typo-squatting is not really a thing in the Ubuntu package manager, is it?
Not saying it's perfect. Just that it's better than the far west. PyPi is pretty much like downloading a .exe from a webpage without even opening the webpage (because back in the days, opening the webpage could sometimes - not always - tell you that it was clearly shady).
All I hear is “here’s a business opportunity, go figure out if you can sell a python registry with libraries vetted by a security team”. Maybe there’s money in it.
Canonical doesn’t do this as a good will. They make money on it, right? Who vets packages for fedora? alpine? arch?
The money is in the service that flags stuff in the registry, which you can sell N times to N companies that now have both embedded and vendor security teams. The companies now need to self host the registry and the scanner to see what’s out of compliance, otherwise they can’t be a vendor for anyone else. And their embedded security team basically siphons cash away from corporate, functioning as an engine of harassment for devs trying to get work done, while working as middlemen for the upstream security vendor.
Since none of this is particularly effective or efficient, money is made from someone’s perspective, but mostly it functions like a “cost of doing business” tax that you can’t avoid
Isn't that what Anaconda does? As opposed to say conda-forge? Anaconda tries hard to get orgs to pay money when they could just use conda-forge which has more packages, more up to date etc.
