Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dawnerd 2 hours ago

Everyone is blaming npm but GitHub should be put on blast too for allowing the repos to be created and not quickly flagged.

GitHub has a massive malware problem as it is and it doesn’t get enough attention.

princevegeta89 an hour ago | parent | next [-]

I love! how Github, as a corporate company now owned by Microsoft, is directly tied to GoLang as the main repository of the vast majority of packages/dependencies.

Imagine the number of things that can go wrong when they try to regulate or introduce restrictions for build workflows for the purpose of making some extra money... lol

The original Java platform is a good example to think about.

oefrha 24 minutes ago | parent [-]

Golang builds pulling a github.com/foo/bar/baz module don't rely on any GitHub "build workflow", so unless you mean they're going to start restricting or charging for git clones for public repos (before you mention Docker Hub, yes I know), nothing's gonna change. And even if they're crazy enough to do that, Go module downloads default to a proxy (proxy.golang.org by default, can be configured and/or self-hosted) and only fall back to vcs if the module's not available, so a module only needs to be downloaded once from GitHub anyway. Oh and once a module is cached in the proxy, the proxy will keep serving it even if the repo/tag is removed from GitHub.

benatkin 2 hours ago | parent | prev | next [-]

They're part of the same company, but that's a good point. They both have mediocre security.

testdelacc1 an hour ago | parent | prev [-]

Wouldn’t have been that hard to write a rule that matches the repositories being created by this malware. It literally does the same thing to every victim.