benjojo
replied 31 Mar 2024 21:52 +0000
in reply to: https://mastodon.social/users/Viss/statuses/112192438184117607
@Viss @bert_hubert Who is this we? Like without being too snarky but like ecosystem changes did happen as a result of left-pad. npm has restrictions, other platforms like the go ecosystem proxy cache packages, the list is quite long on improvements to that part of the eco system. Assuming this is a xz related post, I don't really see how this is related, one is a individual deciding that they wanted to pull a repo and causing a dependency stack-of-cards to come falling down (something that the JS ecosystem was especially sensitive to), and the xz incident was a likely state actor working their way into a open source project over a longer set of time, and writing sophisticated payloads to sneak into upstream dependencies. What could we have learned from left-pad that would have applied to xz here? I don't get it. Open source bad? Vendor everything? Audit every single endless tree of changes that happens to you downstream? All these kinda of vaugue-ey posts do is demotivate people who actively are trying to turn things around.