undefined

points

[-]

Log4Shell was hardly a supply-chain attack - just a latent bug in a widely-used library. That can happen anywhere.

Maven to this day represents my ideal of package distribution. Immutable versions save so much trouble and I really don't understand why, in the age of left-pad, other people looked at that and said, "nah, I'm good with this."

by imInGoodCompany16 hours ago|

parent|

[-]

Completely agree. NPM has the only registry where massive supply chain attacks happen several times a year. Mainly the fault lies with NPM itself, but much of it is just a terrible opsec culture in the community.

Most package.jsons I see have semver operators on every dependency, so patches spread incredibly quickly. Package namespacing is not enforced, so there is no way of knowing who the maintainer is without looking it up on the registry first; for this reason many of the most popular packages are basically side projects maintained by a single developer*. Post-install scripts are enabled by default unless you use pnpm or bun.

When you combine all these factors, you get the absolute disaster of an ecosystem that NPM is.

*Not really the case for Axios as they are at least somewhat organized and financed via sponsors.

by waterTanuki15 hours ago|

parent|

prev|

[-]

The semantics are irrelevant. The effect is what's important: Hijacking widely used software to exploit systems. The OC is somehow under the illusion that avoiding JS altogether is a silver bullet for avoiding this.

Forest > Trees

by pianoben7 hours ago|

parent|

[-]

The semantics are very relevant, since you presented it as a supply-chain attack. If you call a library vulnerability a supply-chain attack, then your argument has lost coherence.

> The OC is somehow under the illusion...

Avoiding package managers with shitty policies is the silver bullet for this attack vector. I get that it can be useful in the moment to retract published artifacts, or update them in-place, or run some code after your artifact is downloaded, but all of these are false economies in our hostile environment.

by imInGoodCompany16 hours ago|

prev|

[-]

Log4Shell was not a supply chain attack.

by skydhash17 hours ago|

prev|

[-]

Other languages have package managers (perl) and there are package managers in existence that are not so vulnerable to this issue. IMO, it stems from one place: Transitive dependencies and general opaqueness of the issue.

In package managers like pacman, apt, apk,... it's easier to catch such issue. They do have postinstall scripts, but it's part of the submission to the repo, not part of the project. Whatever comes from the project is hashed, and that hash is also visible as part of the submission. That makes it a bit difficult to sneak something. You don't push a change, they pull yours.

by mememememememo17 hours ago|

prev|

[-]

C++ ftw

by slopinthebag16 hours ago|

prev|

[-]

Come on dude. The issue is the frequency and magnitude of these attacks. Log4Shell was also not a supply chain attack.

I looked at the Rust one for example, which is literally just a malicious crate someone uploaded with a similar name as a popular one:

> The crate had less than 500 downloads since its first release on 2022-03-25, and no crates on the crates.io registry depended on it.

Compared to Axios, which gets 83 million downloads and was directly compromised.

What an extremely disingenuous argument lol

by waterTanuki13 hours ago|

parent|

[-]

What exactly do you think the argument is?

The issues have everything to do with npm as a platform and nothing with JS as a language. You can use JS without npm. Saying you'll escape supply chain attacks by not using JS is like saying you'll be saved from an car crash with a parachute.

by PunchyHamster9 hours ago|

parent|

[-]

Well, this particular case could be wholly avoided if it didn't take 2 decades to get competent HTTP(S) client into core language