There is a multitude of software or code ecosystems: Linux distribution packages, language-specific (e.g. Python or node.js) modules, third-party desktop themes, git repositories, and recently also Flatpak and Snap. Users thus obtain software and code mainly from the network. This talk explores what can go wrong in such code delivery mechanisms, and what actually went wrong when a new threat has materialized: networks in certain countries started to be unreliable "thanks" to the governments (classical example: https://isitblockedinrussia.com/?host=7-zip.org == true). And what technical steps can be done in order for the said ecosystems to survive when censorship and overblocking spreads over the globe even more.
The focus will be on how mirror networks and CDNs operate (and what's the difference and why it matters), illustrated by examples of Debian mirrors and NPM. Both availability and integrity concerns regarding code delivery will be discussed.
