| ▲ | wps 15 hours ago |
| Genuinely how are you supposed to make sure that none of the software you have on your system pulls this in? It’s things like this that make me want to swap to Qubes permanently, simply as to not have my password manager in the same context as compiling software ever. |
|
| ▲ | semi-extrinsic 12 hours ago | parent | next [-] |
| We run everything NPM related inside Apple containers, and are looking to do the same with Python and Rust soon. Bwrap on Linux does the same. I like to think of it like working with dangerous chemicals in the lab. Back in the days, people were sloppy and eventually got cancer. Then dangers were recognized and PPE was developed and became a requirement. We are now at the stage in software development where we are beginning to recognizing the hazards and developing + mandating use of proper PPE. A couple of years ago, pip started refusing to install packages outside of a virtualenv. I'm guessing/hoping package managers will start to have an opt-in flag you can set in a system-wide config file, such that they refuse to run outside of a sandbox. |
| |
| ▲ | mike_hearn 11 hours ago | parent [-] | | The problem is that package managers are a distraction. You have to sandbox everything or else it doesn't work. These attacks use post-install hooks for convenience but nothing would have stopped them patching axios itself and just waiting for devs to run the app on their local workstation. So you end up needing to develop in a fully sandboxed environment. | | |
| ▲ | PunchyHamster 7 hours ago | parent | next [-] | | Yeah the whole rush on "post-run hooks bad" isn't really adding all that much to security. Like congratulations, your dev was compromised whole 10 minutes later after he ran code. | |
| ▲ | semi-extrinsic 5 hours ago | parent | prev [-] | | They are not a distraction when they are also the command runners. |
|
|
|
| ▲ | jjice 7 hours ago | parent | prev | next [-] |
| While it's not perfect, pinning specific versions and managing all updates directly has been a solid solution for my team. Things can of course still slip through, but we're never vulnerable to these just because there was a new package release and we opted into it by default. Updating packages takes longer, but we try to keep packages to a minimum so it ends up not being that big deal. |
|
| ▲ | PhilipRoman 13 hours ago | parent | prev | next [-] |
| This sounds like satire but isn't - I just make sure the nodejs/npm packages don't exist on my system. I've yet to find a crucial piece of software that requires it. As much as I love that cute utility that turns maps into ascii art, it's not exactly sqlite in terms of usefulness. |
| |
| ▲ | whywhywhywhy 10 hours ago | parent [-] | | Bit ridiculous to dismiss the most popular programming languages packaging repo as silly toys. | | |
| ▲ | PhilipRoman 9 hours ago | parent [-] | | I don't deny that node/npm is useful for building servers, devtools for JS development itself, etc. but as an end user I haven't encountered anything useful which requires having it on my machine. | | |
| ▲ | habinero 3 hours ago | parent [-] | | Ok? So you don't code in that language? You still have multiple programming languages preinstalled on your OS, no matter which one it is. |
|
|
|
|
| ▲ | friendzis 14 hours ago | parent | prev [-] |
| [flagged] |
| |
| ▲ | wps 14 hours ago | parent | next [-] | | Hello. You missed the point I was making drastically. Of course for software that I build personally I can do all that, but not for all the random stuff in my system that I’m trusting maintainers to package for me, or otherwise good PKGBUILDS in the AUR. You physically cannot have the bandwidth to be on top of these supply chain issues all the time. Also, semantic versioning is not some golden goose that fixes this issue, update embargoes help, but that doesn’t require semver. Vendoring dependencies is not a scalable solution for all the software people use. | | |
| ▲ | friendzis 13 hours ago | parent [-] | | > You physically cannot have the bandwidth to be on top of these supply chain issues all the time > semantic versioning is not some golden goose that fixes this issue Nothing is a golden goose, however semver is designed to limit the scope of incoming changes so you have a chance of staying on top. > Vendoring dependencies is not a scalable solution for all the software people use. There are literally three ways to deal with these supply chain issues: 1. Allocate the bandwidth yourself 2. Buy that bandwidth 3. Yolo |
| |
| ▲ | cromka 14 hours ago | parent | prev [-] | | What a weird way to virtue signal. |
|
