The biggest of those is NPM, I think, which appears to be between 50% and 100% as big as the app store. Let's call that equal in size, shall we?

https://nitter.net/npm_malware has twenty postings in the last 19 hours, quite far from "without".

NPM is also used by Windows an MacOS machines, and who knows which else. *BSD? Anything that runs JavaScript?

Probably OP was thinking about the deb and rpm repositories of the main distributions but yes, NPM and the likes are other examples of large repositories.

Yes, I meant deb/rpm repositories. NPM is not a Linux repo, it's multipurpose, with lots of proprietary software.

It's the open part of it that's comparable to the app store in size. The closed part is in addition.

I agree there are linux-only repos that are ~1% of that size and contain little or no malware or abuse. That's true whether you measure size in updates per day or total count of packages, so 1% seems reachable without considerable malware problems.

> so 1% seems reachable without considerable malware problem

Another plausible explanation is that pure FLOSS repos are free fron malware.

No, npm is not a Linux distribution. It's a programming language package manager and package repository.

The distinguishing feature of Linux distributions is the existence of maintainers. Human beings who put in effort into maintaining the quality and integrity of the packages and keeping them up to date. We Linux users generally trust those people, and they stand between us and all the software developers out there. To get to us, you gotta go through them. And they generally aren't in the habit of allowing obvious malware into the software repositories. That's why we trust them in the first place.

Contrast that to repositories like npm, pypi, rubygems, cargo which are all designed so that any random person can make an account and push up any package they want. There's no checking. Accounts might be compromised by or outright bought by malicious actors. Just like popular browser extensions which get bought and converted into malware.

NPM is not a Linux repository.

> The biggest of those is NPM, I think

No, it's not even a Linux package repository. Think repositories for Debian, Fedora, Arch, etc.

I mentioned it because it contains a lot of GPL-licensed packages, and a lot of it's used on linux, and it's at least near the scale of the app store. It falls a little short along all three axes, but it seems to be the closest.

I don't think either Debian, Fedora or Arch are anywhere close to a million packages or a thousand updates per day. Well below 10%. They're GNUish and 100% linux, but really bad on the size axis.

The app store has at least two classes of problems that those three don't have, and have to handle the problems at much higher scale. "Those guys manage to handle a simpler problem at much smaller scale, so it's possible for the app store too" is hardly an argument.

Is the malware in NPM in the GPL part? I guess no, so this is my point: FLOSS repos can be trusted.

Yes it is. Most likely also in the other part, although link I included doesn't mention any of that. The key appears to be: A large repo with lots of uploaders, some of which guard their passwords poorly.

As long as a FLOSS repo is small and has few uploaders, it'll be safe. Hardly a model for a big and busy repo like the app store, of couse.

The largest Linux repo is nixpkgs.