When I was young, my parents taught me not to accept candy from strangers,
unless they were present and approved of it, because there was a small risk
of very bad things happening.
It was of course a simplicistic rule, but it had to be easy enough to follow
for somebody who wasn't proficient (yet) in the subleties of social
interactions.

One of the reasons why it worked well was that following it wasn't a big
burden: at home candy was plenty and actual offers were rare: I only
remember missing one piece of candy because of it, and while it may have
been a great one, the ones I could have at home were also good.

Contrary to candy, offers of gratis software from random strangers are quite
common: from suspicious looking websites to legit and professional looking
ones, to platforms that are explicitely designed to allow developers to
publish their own software with little or no checks.

Just like candy, there is also a source of trusted software in the Linux
distributions, especially those lead by a community: I mention mostly Debian
because it's the one I know best, but the same principles apply to Fedora
and, to some measure, to most of the other distributions.
Like good parents, distributions can be wrong, and they do leave room for
older children (and proficient users) to make their own choices, but still
provide a safe default.

Among the unsafe sources there are many different cases and while they do
share some of the risks, they have different targets with different issues;
for brevity the scope of this article is limited to the ones that mostly
concern software developers: language specific package managers and
software distribution platforms like pypi, npm and rubygems etc.

These platforms are extremely convenient both for the writers of libraries,
who are enabled to publish their work with minor hassles, and for the people
who use such libraries, because they provide an easy way to install and use
an huge amount of code. They are of course also an excellent place for
distributions to find new libraries to package and distribute, and this I
agree is a good thing.

What I however believe is that getting code from such sources and using it
*without carefully checking it* is even more risky than accepting candy from a
random stranger on the street in an unfamiliar neighborhood.

The risk aren't trivial: while you probably won't be taken as an hostage for
ransom, your data could be, or your devices and the ones who run your
programs could be used in some criminal act causing at least some monetary
damage both to yourself and to society at large.

If you're writing code that should be maintained in time there are also
other risks even when no malice is involved, because each package on these
platform has a different policy with regards to updates, their backwards
compatibility and what can be expected in case an old version is found to
have security issues.