In case you’re unaware, I’m not a developer. I’m actually an autistic catgirl annoyed by suboptimal use of computing power, and fixing that happens to involve programming. Crucially, it also includes discussing foundational technology with people behind the scenes, and apparently that makes me more aware of social aspects of this sphere. So, I have opinions about criticism of crates.io for supply-chain attacks. After a dozen similar articles, I have some select words to voice about why it’s off the mark.
  • Kissaki@programming.devEnglish
    4·
    12 天前

    Not updating with audit would work if every direct and transient dependency provided security updates for every version. But they don’t. Often, security updates are for the most recent version or versions, and if you’re far behind, you now have to audit a lot more.

    Transient dependencies are an audit problem, too. To audit something, you have to essentially audit recursively. Many libs use many other libs of varied authors.

    Our systems are too open, too vulnerable. A build or check being able to access all resources is a fundamental systematic vulnerability.

  • _‌_反いじめ戦隊@ani.socialEnglish
    1·
    11 天前

    I used to be a developer, and I completely agree.

    I don’t owe anyone anything. And if you won’t compensate me for work you demand, the less I am willing to cover your mistake.

    “Supply-chain” is an invented capitalist digressive term that they forwent compensation for security. Even in our /c/, folks think capitalists will pay 7 additional days to review issues at no cost. It’s preposterous. Nazis prefer automating our quality assurance.

    No pay, no game.

    Edit! This type of ignorance even extends into other industries! Here’s my scene, making a bounty, not accounting modern Nazi costs of hardware.