Vissremember left pad?
that was fun, wasnt it?
that was fun, wasnt it?
left-pad was 2016.
its been eight years.
we have learned nothing in 8 years.
benjojo@Viss @bert_hubert Who is this we?
Like without being too snarky but like ecosystem changes did happen as a result of left-pad. npm has restrictions, other platforms like the go ecosystem proxy cache packages, the list is quite long on improvements to that part of the eco system.
Assuming this is a xz related post, I don't really see how this is related, one is a individual deciding that they wanted to pull a repo and causing a dependency stack-of-cards to come falling down (something that the JS ecosystem was especially sensitive to), and the xz incident was a likely state actor working their way into a open source project over a longer set of time, and writing sophisticated payloads to sneak into upstream dependencies.
What could we have learned from left-pad that would have applied to xz here? I don't get it. Open source bad? Vendor everything? Audit every single endless tree of changes that happens to you downstream?
All these kinda of vaugue-ey posts do is demotivate people who actively are trying to turn things around.
bert hubert πΊπ¦πͺπΊπΊπ¦ (@[email protected])
7.56K Posts, 1.11K Following, 7.48K Followers Β· Software developer, entrepreneur, former government regulator, current government advisor, amateur scientist.β¨ https://berthub.eu/
one way to say it is "in eight years we apparently haven't lifted a finger to address the systemic issue of 'one guy maintains a project that everyone uses resulting in an incredibly fragile, easily manipulated/broken environment'. be it left pad, xz or any other opensource project that fits this model.
another way to say it is "oh, this again"
yet another way to say it is "people would rather argue online than fix stuff"
bert hubert πΊπ¦πͺπΊπΊπ¦@bert_hubert @benjojo this is a systemic problem that goes beyond npm and xz. its how opensource is handled *waves arms* everywhere. the mechanics of it all.
we keep finding ourselves in a situation where "one dude makes or breaks the internet" and nobody seems interested in solving that issue.
@Viss what solves that issue?
@benjojo global politics resulting in information and deception warefare spilling out onto social media and entrenching itself in the broad systemic issues and misalignments is not something you fix in one toot.
its a shitload of problems that everybody knows about, which nobody is fussed enough about to fix, which all attract bad actors and are now bad enough they can be harnessed by governments to be used as plumbing for whatever they happen to need at the time.
which right now is spying