Conversation

Notices

1. Embed this notice
   The Seven Voyages Of Steve (sinbad@mastodon.gamedev.place)'s status on Wednesday, 03-Jul-2024 10:10:32 JST The Seven Voyages Of Steve

   Every week there’s an article about the high vulnerability of package managers to supply chain attacks and I’m just amazed it’s taken this long for people to figure out that routinely auto-pulling 500 disparate third party libraries unseen into your project is a terrible idea

   • Embed this notice
     The Seven Voyages Of Steve (sinbad@mastodon.gamedev.place)'s status on Wednesday, 03-Jul-2024 10:10:29 JST The Seven Voyages Of Steve

     in reply to

     And the thing is, the number of external dependencies (and their update volume) that you can realistically, properly vet for inclusion in your project, is inherently small enough that you don’t need a package manager. And if you need a package manager to handle it all, you can’t be checking what you’re pulling in and so you’re definitely vulnerable.

     gidi likes this.
   • Embed this notice
     The Seven Voyages Of Steve (sinbad@mastodon.gamedev.place)'s status on Wednesday, 03-Jul-2024 10:10:30 JST The Seven Voyages Of Steve

     in reply to

     Of course there’s no reason you can’t use automated package managers *and* do the kind of due diligence a responsible developer would do when pulling code from third parties into their project, but I don’t think I’ve ever seen anyone do this. Instead it seems normal to implicitly trust anything that comes out of a package management system no matter who controls it and that’s always been wild to me.

     gidi repeated this.
   • Embed this notice
     The Seven Voyages Of Steve (sinbad@mastodon.gamedev.place)'s status on Wednesday, 03-Jul-2024 10:10:31 JST The Seven Voyages Of Steve

     in reply to

     I remember back in my MacOS dev days being told that I should be using CocoaPods and when I told them that was a stupid idea (I had like 3 dependencies and regularly poked around in the source for all of them) I was the old fashioned old man. “But it automates all the updates!”. So what? There’s 3. a) I don’t need it, it’s super easy to pull changes from source and b) when I do it manually I actually *look* at the updates like a sane person would https://arstechnica.com/?p=2034866

   • Embed this notice
     The Seven Voyages Of Steve (sinbad@mastodon.gamedev.place)'s status on Wednesday, 03-Jul-2024 15:43:28 JST The Seven Voyages Of Steve

     in reply to

     It makes me laugh when I see programmers harping on about their memory safe languages and how they’re not subject to buffer overruns like the old man languages, while auto-pulling 500 dependencies from randos on the Internet into their projects without even looking at them

     silverwizard likes this.
   • Embed this notice
     The Seven Voyages Of Steve (sinbad@mastodon.gamedev.place)'s status on Wednesday, 03-Jul-2024 15:43:29 JST The Seven Voyages Of Steve

     in reply to

     “Vetting” can mean delegating due diligence to the publisher (or repackager) rather than personally reading the source, but that means vetting the publisher instead. And there is a finite number of those that you can maintain vetted trust in at any one time. You can’t just assume that the “community” somehow automatically protects you against bad actors. It might, but it’s been shown many times that it might not; sometimes everyone thinks someone else would have spotted a problem and no-one does

     pettter and Daniel Kinzler repeated this.