| ▲ | 2d8a875f-39a2-4 3 days ago |
| It's a stretch to pin blame on Microsoft. They're probably the reason the service is still up at all (TFA admits as much). In hindsight it's likely that all they wanted from the purchase was AI training material. At worst they're guilty of apathy, but that's no worse than the majority of npm ecosystem participants. |
|
| ▲ | simonw 3 days ago | parent | next [-] |
| "In hindsight it's likely that all they wanted from the purchase was AI training material." Microsoft already owned GitHub. I don't see how acquiring npm would make a meaningful difference with respect to training material, especially since npm was already an open package repository which anyone could download without first buying the company. |
| |
| ▲ | leptons 2 days ago | parent [-] | | Not all NPM packages are hosted on github. I don't know what the number is, but I know I don't have my NPM packages on github (instead, bitbucket). |
|
|
| ▲ | righthand 3 days ago | parent | prev | next [-] |
| It’s NOT a stretch to blame Microsoft. How many billions have we spent chasing “AI”? These issues could have been easily solved if we spent the consideration on them. This has been going on well over a decade. Microsoft isn’t any better steward than the original teams. This issue has happened Plenty under Microsoft’s ownership. |
| |
| ▲ | rs186 3 days ago | parent | next [-] | | Yeah, easily solved. Would love to hear your genius solutions right here that Microsoft is too dumb to come up with and implement. | | |
| ▲ | Riverheart 2 days ago | parent | next [-] | | Well, from recent experience they could make “npm audit” usable without having to use a third party library like “better npm audit”. There’s no filtering or configuration at all. There are so many unimportant or irrelevant vulnerabilities reported that I have no doubt that people just ignore auditing because they don’t consider the 1000 high severity DoS vulnerabilities they can’t ignore relevant for their CLI app. =/ The tradeoff for security is usability and the worse the usability gets the more people fight back against it. https://www.npmjs.com/package/better-npm-audit | |
| ▲ | righthand 2 days ago | parent | prev | next [-] | | Hate to tell ya but package signing is not a new problem and they could make it opt-in. There has been a Github issue and merge request submitted to enable it. But they were closed and denied. Malice or incompetence? Hilarious that you think this is a some sort of impossible feat for a trillion dollar company. | |
| ▲ | dns_snek 2 days ago | parent | prev [-] | | Seriously? This is is extremely low hanging fruit that's not being taken care of. You shouldn't be able to take over a software dependency with a phishing email. Requiring simple PGP code signing or even just passkey authentication would eradicate that entire attack vector. Future attacks would then require a level access of access that's already synonymous with "game over" for all intents and purposes (e.g. physical access, malware, or inside job). It's not bulletproof but it would be many orders of magnitude better than the current situation. | | |
| ▲ | rs186 2 days ago | parent [-] | | As long as you can publish a package in a CI environment (which is essential), none of what you mentioned matters. And that's not even the point. That phishing email is just one of the ways attackers use to infiltrate, which is not Microsoft's problem to begin with. Next time, the attacker could install malware in your machine that silently runs code and publish a package on your behalf using your own credentials stored locally while you think everything is ok, and you'd still blame Microsoft for not doing enough. | | |
| ▲ | dns_snek 2 days ago | parent | next [-] | | > Next time, the attacker could install malware in your machine I already addressed this in the previous comment but I hope you realize the absurdity of this statement. If the attacker can corner you in a dark alley they can steal your yubikey and beat the PIN out of you, too. By that logic is 2FA futile and should we all stop using it? Security isn't binary, simply raising the bar from falling for a phishing email to gaining access to someone's machine will probably eliminate 99% of all compromises. > and you'd still blame Microsoft for not doing enough Gaining access to someone's machine is definitive "game over" scenario, using that as an excuse not to harden security to the point that that's the only option left is lazy and irresponsible. Even with that kind of access, code signing will slow the viral spread way down which would make a difference. Once you make it hard to hijack packages, time will be better spent on investing in sandboxing which also protects people from insider threats. | |
| ▲ | righthand 2 days ago | parent | prev [-] | | You should indicate whether or not you work for or somehow are affiliated with Microsoft. |
|
|
| |
| ▲ | 2d8a875f-39a2-4 3 days ago | parent | prev [-] | | i would contend that they are no worse than the original teams, who also clearly didn't care. their motivations may have been growth rather than AI training data but the outcomes were the same | | |
| ▲ | righthand 2 days ago | parent [-] | | Microsoft has money to fix the problem is the difference. Neither side (og team, Microsoft, or npm consumers) has any capital interest in the matter. |
|
|
|
| ▲ | mr90210 3 days ago | parent | prev [-] |
| > It's a stretch to pin blame on Microsoft. They're probably the reason the service is still up at all. I reckon that the ecosystem would have been much healthier if NPM had not been kept running without the care it requires. |
| |
| ▲ | 2d8a875f-39a2-4 3 days ago | parent [-] | | I did wonder about that. Maybe yeah.
It's likely that several no-better forks would have sprung up right away. |
|
