Hacker News new | ask | show | jobs
by sethvargo 2463 days ago
The goal was not to disrupt ICE, Chef, or any organization thereof. The goal was to remove my code from an ecosystem that was using it for purposes I perceive as evil. I had no goals of disrupting ICE operations or Chef operations.

I suspected a small percentage of people with a hard, runtime dependency would be impacted, but I did not know Chef (the software) had a hard runtime dependency and was pulling that dependency from public RubyGems instead of a mirror they control.
1 comments
temac 2463 days ago
Besides the political statement, do you have any technical opinion about an organization such as Chef shipping things that have runtime deps to third parties?
link
sethvargo 2463 days ago
It wasn’t a political statement. I have a few thoughts in general. These aren’t specific to this situation.

First, always minimize runtime dependencies. I personally prefer compiled things for this very reason.

Second, if you’re going to include a third party dependency, how are you auditing it? There’s an unexplored area around security here too. The Node.js ecosystem has had a series of incidents where popular packages have had cryptocurrency miners injected into otherwise helpful packages. If you’re depending on third party runtime dependencies: how are you auditing changes and contributions, how are you scanning for vulnerabilities, how are you patching those vulnerabilities if you don’t have an internal fork upon which you build?

Third, RubyGems is a volunteer-run organization. I believe other software ecosystems are similar. From my understanding of the situation, a RubyGems outage would have had similar effect.

link
kortilla 2462 days ago
Compromised third party libs are absolutely not “an unexplored area around security”. It’s a super well-known threat.
link
sethvargo 2462 days ago
Sorry - by “unexplored” I meant “not a topic I’ve seen discussed at length with regard to this particular issue”
link
autotune 2463 days ago
What are your thoughts on Golang?
link
lowmagnet 2462 days ago
If you use Go, then try one of the new self-hosted repositories, such as github.com/gomods/athens since it allows you to archive every dependency you ever update so you can always retrieve past dependencies.
link
sethvargo 2462 days ago
I believe you should use whatever language is practical for your use case.
link