| ▲ | elric 5 days ago | ||||||||||||||||
> 1. I genuinely don't understand why. It's a war of attrition. You can keep bombarding developers with new and clever ways of trying to obtain their credentials or get them to click on some link while signed in. It only has to succeed once. No one is 100% vigilant all the time. If you think you're the exception, you're probably deluding yourself. There's something broken in a system where one moment of inattention by one person can result in oodles of people ending up with compromised software, and I don't think it's the person that's broken. | |||||||||||||||||
| ▲ | kentm 4 days ago | parent | next [-] | ||||||||||||||||
> where one moment of inattention by one person I'll get a lot of pushback for this, but the main problem are ecosystems that encourage using packages published by one person. I call these "some person with a github" packages, and I typically go through codebases to try to remove these dependencies specifically because of this threat vector. Packages that are developed by a team with code multiple code reviewers and a process are still at risk, don't get me wrong. But the risk is much less if one person does not have the power to unilaterally merge a PR, and more-so if its backed by an organization that has multiple active devs and processes for reviews. If you do need to depend on these one-person packages, I'd recommend forking and carefully merging in changes, or pinning versions and manually reviewing all commits before upgrading versions. Thats probably intractable for a lot of projects, but thats honestly something that we as developers need to fix by raising the bar for what dependencies we include. | |||||||||||||||||
| ▲ | egorfine 5 days ago | parent | prev [-] | ||||||||||||||||
Then see #2: there is no way to prevent humans from actually performing detrimental actions, hardware keys or not. | |||||||||||||||||
| |||||||||||||||||