benjojo.co.uk

benjojo replied 31 Mar 2024 21:52 +0000
in reply to: https://mastodon.social/users/Viss/statuses/112192438184117607

Like without being too snarky but like ecosystem changes did happen as a result of left-pad. npm has restrictions, other platforms like the go ecosystem proxy cache packages, the list is quite long on improvements to that part of the eco system.

Assuming this is a xz related post, I don't really see how this is related, one is a individual deciding that they wanted to pull a repo and causing a dependency stack-of-cards to come falling down (something that the JS ecosystem was especially sensitive to), and the xz incident was a likely state actor working their way into a open source project over a longer set of time, and writing sophisticated payloads to sneak into upstream dependencies.

What could we have learned from left-pad that would have applied to xz here? I don't get it. Open source bad? Vendor everything? Audit every single endless tree of changes that happens to you downstream?

All these kinda of vaugue-ey posts do is demotivate people who actively are trying to turn things around.

Viss@mastodon.social replied 31 Mar 2024 21:58 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/mqjg2F661B1YwW2vz6

@benjojo @bert_hubert

one way to say it is "in eight years we apparently haven't lifted a finger to address the systemic issue of 'one guy maintains a project that everyone uses resulting in an incredibly fragile, easily manipulated/broken environment'. be it left pad, xz or any other opensource project that fits this model.

another way to say it is "oh, this again"

yet another way to say it is "people would rather argue online than fix stuff"

benjojo replied 01 Apr 2024 00:01 +0000
in reply to: https://mastodon.social/users/Viss/statuses/112192625278977750

@Viss what solves that issue?