| ▲ | fc417fc802 8 hours ago | |||||||
I've yet to be saved by an airbag or seatbelt. Is that justification to stop using them? How near a miss must we have (and how many) before you would feel that certain practices surrounding dependencies are inadvisable? A number of these supply chain compromises had incredibly high stakes and were seemingly only noticed before paying off by lucky coincidence. | ||||||||
| ▲ | tokioyoyo 8 hours ago | parent | next [-] | |||||||
> How near a miss must we have (and how many) The fun part is, there have been a lot of non-misses! Like a lot! A ton of data have been exfiltrated, a lot of attacks, and etc. In the end... it just didn't matter. Your analogy isn't really apt either. My argument is closer to "given in the past decade+, nothing of worth has been harmed, should we require airbags and seatbelts for everything?". Obviously in some extreme mission critical systems you should be much smarter. But in 99% cases it doesn't matter. | ||||||||
| ▲ | hiq 3 hours ago | parent | prev [-] | |||||||
> I've yet to be saved by an airbag or seatbelt. Is that justification to stop using them? By now, getting a car without airbags would probably be more costly if possible, and the seatbelt takes 2s every time you're in a car, which is not nothing but is still very little. In comparison, analyzing all the dependencies of a software project, vetting them individually or having less of them can require days of efforts with a huge cost. We all want as much security as possible until there's an actual cost to be paid, it's a tradeoff like everything else. | ||||||||
| ||||||||