Hacker News new | ask | show | jobs
by asn007 1550 days ago
I rarely visit HN and mostly lurk here, not sure what you're trying to point out.

I was myself hit by the issue, unfortunately, and I strongly believe that weaponising open-source is not how things should be done, so I decided to post. An attempt to bring this into limelight, if you wish

This incident sets a dangerous precedent in breaking a chain of trust that today's software development heavily relies on
2 comments
totony 1549 days ago
>This incident sets a dangerous precedent in breaking a chain of trust that today's software development heavily relies on

Such precedents should be set, we shouldn't be relying on that chain of trust (as clearly demonstrated here).

Updates should be vetted, signed, etc. Fetching stuff random people push to npm is a recipe for disaster.

link
gtirloni 1549 days ago
How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?

And who's signing these updates? The package owner? Well, he's the one adding malicious code so he can sign whatever he wants.

I'll say it again, Node.js needs a proper standard library like Go that takes care of common needs most people have. It's been improving but it was a historical mistake to let microdependencies run wild.

link
totony 1549 days ago
IMO npm should have a "stable repo" and a "community repo" just like most distribution packagers have had for a long time.
link
gkbrk 1549 days ago
> How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?

Perhaps they shouldn't be relying on thousands of NPM packages. It's not difficult to write JS code that doesn't `npm install` the entire package ecosystem.

link
gtirloni 1549 days ago
If you use React, Vue and others, that decision has been made for you.
link
toomuchtodo 1550 days ago
I wasn’t suggesting any nefarious intent, only that this was the topic that made you go “Today is the day I post.”

Sorry to hear you were impacted by this. Software supply chain challenges are copious, unwieldy, and everywhere.

link
TMWNN 1550 days ago
>I wasn’t suggesting any nefarious intent,

Oh, please. The only thing missing was to accuse asn007 of being a "Russian troll", although I suppose you realized that that would not be appropriate in this case.

Just own up to your apology.

link
toomuchtodo 1550 days ago
Sorry that’s what you took from it, if you’re looking for an apology. People are interesting, that’s all, and I am curious about how they tick. There is a difference between “How odd!” and “This person is up to no good.”

Whether someone is a “Russian troll” or not really doesn’t concern me, and I wouldn’t call someone out if I thought they were (that’s a mod’s problem and poor form), nor was that what I was insinuating.

link