top | item 30704232

(no title)

asn007 | 4 years ago

I rarely visit HN and mostly lurk here, not sure what you're trying to point out.

I was myself hit by the issue, unfortunately, and I strongly believe that weaponising open-source is not how things should be done, so I decided to post. An attempt to bring this into limelight, if you wish

This incident sets a dangerous precedent in breaking a chain of trust that today's software development heavily relies on

discuss

totony|4 years ago

>This incident sets a dangerous precedent in breaking a chain of trust that today's software development heavily relies on

Such precedents should be set, we shouldn't be relying on that chain of trust (as clearly demonstrated here).

Updates should be vetted, signed, etc. Fetching stuff random people push to npm is a recipe for disaster.

gtirloni|4 years ago

How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?

And who's signing these updates? The package owner? Well, he's the one adding malicious code so he can sign whatever he wants.

I'll say it again, Node.js needs a proper standard library like Go that takes care of common needs most people have. It's been improving but it was a historical mistake to let microdependencies run wild.

toomuchtodo|4 years ago

I wasn’t suggesting any nefarious intent, only that this was the topic that made you go “Today is the day I post.”

Sorry to hear you were impacted by this. Software supply chain challenges are copious, unwieldy, and everywhere.

TMWNN|4 years ago

>I wasn’t suggesting any nefarious intent,

Oh, please. The only thing missing was to accuse asn007 of being a "Russian troll", although I suppose you realized that that would not be appropriate in this case.

Just own up to your apology.