| ▲ | dabinat 5 hours ago |
| > With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed. I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system. |
|
| ▲ | the_fall 5 hours ago | parent | next [-] |
| That's the most honest assessment you can expect from any small-scale developer. What do you expect them to say or do? Their adversary is presumably a national intelligence agency of a superpower. The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be. |
| |
| ▲ | avazhi an hour ago | parent | next [-] | | > The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be. I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows! | |
| ▲ | hjoutfbkfd 2 hours ago | parent | prev | next [-] | | and yet OpenSSH was almost the victim of a giant hack too (xz-utils) | |
| ▲ | xeromal 4 hours ago | parent | prev [-] | | Yup, the only way to combat this as a smalltime dev would be to turn off auto updates and make people build from source. | | |
| ▲ | m-schuetz 4 hours ago | parent | next [-] | | Why woul building from source be safer? Are you veting every single line of third-party source code you compile and use? | | |
| ▲ | g-b-r 3 hours ago | parent [-] | | You're sure not vetting any byte of an executable, so building from source is safer. | | |
| ▲ | m-schuetz 38 minutes ago | parent [-] | | Binaries or source, it's pretty much the same unless you thoroughly vet the entire source code. Malicious code isn't advertised and commented and found by looking at a couple of functions. It's carefully hidden and obfuscated. |
|
| |
| ▲ | tjwebbnorfolk 4 hours ago | parent | prev [-] | | yea `curl <url> | gcc` is much safer... | | |
| ▲ | trympet 3 hours ago | parent [-] | | Security through ..rarity? Maybe not for nation state actors though. |
|
|
|
|
| ▲ | baobabKoodaa 3 hours ago | parent | prev [-] |
| Would you feel better if they had ended the blog post with corporate style assurances that Notepad++ is 100% secure? |
