Conversation

Notices

1. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 18-Feb-2024 15:56:20 JST Haelwenn /элвэн/ :triskell:

   • Kevin Beaumont
   @GossiTheDog Wow, that is a painfully obvious backdoor, really just confirms that nobody reads.
   • Embed this notice
     craftycat (craftycat@mastodon.scot)'s status on Sunday, 18-Feb-2024 20:05:19 JST craftycat

     • Kevin Beaumont

     @GossiTheDog This might be a very dumb question, but why on earth are randos allowed to push shit into the project without any review system in place whatsoever? I feel like some extremely basic setting changes would prevent this from happening?

   • Embed this notice
     craftycat (craftycat@mastodon.scot)'s status on Monday, 19-Feb-2024 01:19:46 JST craftycat

     • Kevin Beaumont

     @GossiTheDog That seems like both a gross misunderstanding of what devops is, and a fault entirely caused by whoever set up said software repository. I learned how to avoid this shit within a few months of my first year as a dev student, anyone who's responsible for an opensource repo and doesn't know that is obviously unfit 😂

   • Embed this notice
     linuxct (linuxct@androiddev.social)'s status on Monday, 19-Feb-2024 07:31:54 JST linuxct

     • Kevin Beaumont

     @GossiTheDog How is that related to DevOps though? Secure development lifecycle is the responsibility of the developer who decides to integrate the 3rd party component, not the team who makes it scale up. Or am I missing something?!

   • Embed this notice
     linuxct (linuxct@androiddev.social)'s status on Monday, 19-Feb-2024 07:39:39 JST linuxct

     • Kevin Beaumont

     @GossiTheDog Still, isn't the vulnerability introduced by using a 3rd party component on the source level? My understanding is that the choice of these are up to software developers, and not DevOps...