No, package manager actually DOES play into this. Or, rather, the way best practices it enforces do. I would be seriously surprised if debian shipped malware, because the package manager is configured with debian repos by default and you know you can trust these to have a very strict oversight.

If apt's DNA was to download package binaries straight from Github, then I would blame it on the package manager for making it so inherently easy to download malware, wouldn't I?

> I think you missed the mark a bit here. This wasn’t a dependency that was compromised, it was a dep that was malicious from the start.

You're making assumptions that I am making assumptions, but I wasn't making assumptions. I understand the attack.

> Package manager doesn’t really play into this.

It does, for the reasons I described.