upvote

points

by wps17 hours ago |
comments
upvoteby semi-extrinsic15 hours ago|
next
[-]
We run everything NPM related inside Apple containers, and are looking to do the same with Python and Rust soon. Bwrap on Linux does the same.

I like to think of it like working with dangerous chemicals in the lab. Back in the days, people were sloppy and eventually got cancer. Then dangers were recognized and PPE was developed and became a requirement.

We are now at the stage in software development where we are beginning to recognizing the hazards and developing + mandating use of proper PPE.

A couple of years ago, pip started refusing to install packages outside of a virtualenv. I'm guessing/hoping package managers will start to have an opt-in flag you can set in a system-wide config file, such that they refuse to run outside of a sandbox.

reply
upvoteby f311a42 minutes ago|
parent|
next
[-]
What are you using that utilizes Apple containers?
reply
upvoteby mike_hearn13 hours ago|
parent|
prev|
[-]
The problem is that package managers are a distraction. You have to sandbox everything or else it doesn't work. These attacks use post-install hooks for convenience but nothing would have stopped them patching axios itself and just waiting for devs to run the app on their local workstation. So you end up needing to develop in a fully sandboxed environment.
reply
upvoteby semi-extrinsic7 hours ago|
parent|
next
[-]
They are not a distraction when they are also the command runners.
reply
upvoteby PunchyHamster9 hours ago|
parent|
prev|
[-]
Yeah the whole rush on "post-run hooks bad" isn't really adding all that much to security.

Like congratulations, your dev was compromised whole 10 minutes later after he ran code.

reply
upvoteby jjice9 hours ago|
prev|
next
[-]
While it's not perfect, pinning specific versions and managing all updates directly has been a solid solution for my team. Things can of course still slip through, but we're never vulnerable to these just because there was a new package release and we opted into it by default.

Updating packages takes longer, but we try to keep packages to a minimum so it ends up not being that big deal.

reply
upvoteby PhilipRoman15 hours ago|
prev|
next
[-]
This sounds like satire but isn't - I just make sure the nodejs/npm packages don't exist on my system. I've yet to find a crucial piece of software that requires it. As much as I love that cute utility that turns maps into ascii art, it's not exactly sqlite in terms of usefulness.
reply
upvoteby whywhywhywhy12 hours ago|
parent|
[-]
Bit ridiculous to dismiss the most popular programming languages packaging repo as silly toys.
reply
upvoteby PhilipRoman11 hours ago|
parent|
[-]
I don't deny that node/npm is useful for building servers, devtools for JS development itself, etc. but as an end user I haven't encountered anything useful which requires having it on my machine.
reply
upvoteby habinero5 hours ago|
parent|
[-]
Ok? So you don't code in that language?

You still have multiple programming languages preinstalled on your OS, no matter which one it is.

reply
upvoteby friendzis16 hours ago|
prev|
[-]
[flagged]
reply
upvoteby wps16 hours ago|
parent|
next
[-]
Hello. You missed the point I was making drastically. Of course for software that I build personally I can do all that, but not for all the random stuff in my system that I’m trusting maintainers to package for me, or otherwise good PKGBUILDS in the AUR. You physically cannot have the bandwidth to be on top of these supply chain issues all the time.

Also, semantic versioning is not some golden goose that fixes this issue, update embargoes help, but that doesn’t require semver. Vendoring dependencies is not a scalable solution for all the software people use.

reply
upvoteby friendzis16 hours ago|
parent|
[-]
> You physically cannot have the bandwidth to be on top of these supply chain issues all the time

> semantic versioning is not some golden goose that fixes this issue

Nothing is a golden goose, however semver is designed to limit the scope of incoming changes so you have a chance of staying on top.

> Vendoring dependencies is not a scalable solution for all the software people use.

There are literally three ways to deal with these supply chain issues:

1. Allocate the bandwidth yourself

2. Buy that bandwidth

3. Yolo

reply
upvoteby cromka16 hours ago|
parent|
prev|
[-]
What a weird way to virtue signal.
reply