March 8, 2026
Duck season: quacks, hacks, hot takes
If It Quacks Like a Package Manager
Are your build tools secret app stores? Internet quacks, panics and jokes after a big scare
TLDR: A researcher says tools like GitHub Actions and Ansible now walk and quack like package managers—complete with risky chains of downloads—and points to a 23,000‑repo scare. Comments split between “not really” and “it is if it downloads code,” with some praising Go’s simpler MVS version‑picking approach as a fix
The internet spotted a flock of “not-a-package-manager” tools waddling like, well, package managers—and the ducks came out. The article calls out how things like GitHub Actions and Ansible’s Galaxy now pull in chains of add‑ons from other add‑ons, which means your code might be quietly running code it downloaded from elsewhere. After a March 2025 scare where a retagged Action spread malicious code to over 23,000 projects, nerves are frayed and the duck memes are flying.
One commenter went straight for the semantics, saying “Not really.”—arguing you don’t get to call it a package manager just because stuff runs in sequence. His line in the sand? It only counts if it downloads code transitively on your behalf. Cue jokes about “Guess my spreadsheet is a package manager now,” and a torrent of “quack” replies.
Meanwhile, the nerdcore crowd dove into dependency drama. Ansible’s “optional” security checks and never‑ending lockfile requests got called out as a nostalgia tour of “features we almost had.” And when someone linked to Go’s MVS (Minimum Version Selection) as a clearer, simpler way to pick versions, the thread took a detour into algorithm fandom with research.swtch.com/vgo-mvs. The vibe: half panic, half pun, and 100% “can we please stop pretending these aren’t package managers” energy.
Key Points
- •Tools with transitive dependency graphs effectively behave like package managers, requiring resolution, lockfiles, and integrity verification.
- •GitHub Actions resolves actions recursively without constraint solving, lacks a lockfile and integrity hashes, and only supports top-level SHA pinning.
- •Mutable tags and unpinnable transitive dependencies enabled a March 2025 attack affecting 23,000+ repositories via retagged GitHub Actions.
- •Ansible Galaxy uses resolvelib for dependency resolution, lacks a lockfile, allows mutable versions, and has opt-in checksum/GPG verification.
- •Terraform providers/modules use registry.terraform.io, support integrity hashes, and maintain a .terraform.lock.hcl lockfile (details partially noted).