|
|
|
|
|
|
by _pmf_
2700 days ago
|
|
|
> The security of package managers is something we're going to have to fix. Inclusiveness and the need for Jeff Freshman and Jane Sophomore to have a list of 126 GitHub repos before beginning their application process for an intern job is at odds with having vetted entities as package providers. When I was developing Eclipse RCP products, I had three or five entities that provided signed packages I used as dependencies. Plus: with npm, you even have tooling dependencies, so the former theoretical threat of a malicious compiler injecting malware is now the sad reality[0]. I'm not claiming the "old way" is secure, but the "new way" is insecure by design and by policy (inclusiveness, gatekeeping as fireable offense). [0] I have tooling dependencies in Gradle and Maven too, but again, these are by large vendors and not by some random resume padding GitHub user. |
|
|