| ▲ | Havoc 10 hours ago | |||||||
> we should all Except if everyone does it chance of malicious things being spotted in source also drops by virtue of less eyeballs Still helps though in cases where maintainer spot it etc | ||||||||
| ▲ | smaudet 9 hours ago | parent | next [-] | |||||||
> also drops by virtue of less eyeballs I don't think the people automatically updating and getting hit with the supply chain attack are also scanning the code, I don't think this will impact them much. If instead, updates are explicitly put on cooldowns, with the option of manually updating sooner, then there would be more eyeballs, not fewer, as people are more likely to investigate patch notes, etc., possibly even test in isolation... | ||||||||
| ▲ | woodruffw 9 hours ago | parent | prev | next [-] | |||||||
(Author of the post.) The underlying premise here is that supply chain security vendors are honest in their claims about proactively scanning (and effectively detecting + reporting) malicious and compromised packages. In other words, it's not about eyeballs (I don't think people who automatically apply Dependabot bumps are categorically reading the code anyways), but about rigorous scanning and reporting. | ||||||||
| ||||||||
| ▲ | pico303 4 hours ago | parent | prev | next [-] | |||||||
I agree. This "cooldown" approach seems antithetical to some basic tenants of security in the open source world, namely that more eyeballs makes for better code. If we all stop looking at or using the thing, are these security professionals really going to find the supply-chain problems for us in the thing, for free? Instead of a period where you don't use the new version, shouldn't we instead be promoting a best practice of not just blindly using a package or library in production? This "cooldown" should be a period of use in dev or QA environments while we take the time to investigate the libraries we use and their dependencies. I know this can be difficult in many languages and package managers, given the plethora of libraries and dependencies (I'm looking at you in particular JavaScript). But "it's hard" shouldn't really be a good excuse for our best efforts to maintain secure and stable applications. | ||||||||
| ▲ | 10 hours ago | parent | prev | next [-] | |||||||
| [deleted] | ||||||||
| ▲ | tjpnz 9 hours ago | parent | prev [-] | |||||||
You might read the source if something breaks but in a successful supply chain attack that's unlikely to happen. You push to production, go home for the evening and maybe get pinged about it by some automation in a few weeks. | ||||||||