Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
flkiwi 12 hours ago

There are arguably larger reputational risk issues in a company with significant financial/payment activities not having adequate control of their technology. I'm not saying that justifies anything here as I don't know nearly enough about, but I'd wager that even a minor incident arising from them not adequately controlling their stack would create infinitely more issues than this move.

hiharryhere 12 hours ago | parent | next [-]

If supply chain integrity is the issue specifically for Shopify, couldn’t they run their own private, internally facing gem repository and whitelist everything that goes there? It’s not a requirement to use the public rubygems.

kenhwang 11 hours ago | parent | next [-]

They probably thought it would be easier to takeover rubygems than ensure every dev and every machine for every possible ruby tool could be and is pointed at the internal gem repository.

Let's be paranoid for a moment. What if there's a supply side attack on a gem used by Homebrew. That's basically installed on every dev machine, auto-updates automatically/silently, could have sudo, that no one would care or even know how to point at a private gem repository.

yakshaving_jgt 11 hours ago | parent [-]

It was my understanding that they wanted to use Nix to solve this problem.

3eb7988a1663 12 hours ago | parent | prev | next [-]

I too am scratching my head at this. If the problem is the outside community could be a risk, just do not drink from the firehose. Have processes in place to slowly vet and bring the outside world indoors.

Then again, that is not a very web scale suggestion.

hobs 11 hours ago | parent [-]

I dont understand how "well let's just manage the entire ecosystem" could help this problem.

flkiwi 12 hours ago | parent | prev [-]

That's not what I said. I was responding to the parent comment's statement that "I’m assuming there’s a ton of reputational risk in this move" by noting that, in relative terms, this likely isn't something people are paying attention to outside a very, very narrow universe.

jcmfernandes 12 hours ago | parent | prev | next [-]

Exactly. While it seems like the overarching goals were well-suited, the process was... WTF.

apercu 12 hours ago | parent | prev [-]

Supply chain attacks are big shareholder news lately?