| ▲ | dpc_01234 4 days ago | |
NPM dev gets hacked, packages compromised, it's detected within couple of hours. XZ got hacked, it reached development versions of major distributions undetected, right inside an _ssh_, and it only got detected due to someone luckily noticing and investigated slow ssh connections. Still some C devs will think it's a great time to come out and boast about their practices and tooling. :shrug: | ||
| ▲ | grayhatter 4 days ago | parent | next [-] | |
xz didn't get hacked (phished). For xz an advanced persistent threat, inserted hypertargeted self modifying code into a tarball. A single npm dev was "hacked" (phished) by a moderate effort, (presumably drive by) crypto thief. I have no idea what you meant by "right inside _ssh_" but I don't think that's a good description of what actually happened in any possible case. I'm unlikely to defend C devel practices but this doesn't feel like an indictment of C, if anything the NPM ecosystem looks worse by this comparison. Especially considering the comment you replied to was advocating for minimizing dependencies, which if the distros effected by xz being compromised had followed, (instead of patching sshd) they wouldn't have shipped a compromised version. | ||
| ▲ | typpilol 4 days ago | parent | prev [-] | |
Lol it's so true.. the C smugness is unmatched | ||