When will we learn?

A timeline of supply-chain attacks across npm, PyPI, Cargo, RubyGems, and other package registries is presented, arguing that these incidents are a predictable consequence of package managers that publish vendor-uploaded packages without independent review. The author contends that Linux distribution package managers solve this problem through independent maintainers, review processes, reproducible builds, and stable distributions, and challenges overlay package managers (npm, Cargo, PyPI, etc.) to adopt similar practices or be considered redundant.