VissMar 31, 2024
remember left pad?
that was fun, wasnt it?
Show threadVissMar 31, 2024

left-pad was 2016.
its been eight years.

we have learned nothing in 8 years.

Show threadbenjojoMar 31, 2024

@Viss @bert_hubert Who is this we?

Like without being too snarky but like ecosystem changes did happen as a result of left-pad. npm has restrictions, other platforms like the go ecosystem proxy cache packages, the list is quite long on improvements to that part of the eco system.

Assuming this is a xz related post, I don't really see how this is related, one is a individual deciding that they wanted to pull a repo and causing a dependency stack-of-cards to come falling down (something that the JS ecosystem was especially sensitive to), and the xz incident was a likely state actor working their way into a open source project over a longer set of time, and writing sophisticated payloads to sneak into upstream dependencies.

What could we have learned from left-pad that would have applied to xz here? I don't get it. Open source bad? Vendor everything? Audit every single endless tree of changes that happens to you downstream?

All these kinda of vaugue-ey posts do is demotivate people who actively are trying to turn things around.

bert hubert πŸ‡ΊπŸ‡¦πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦ (@[email protected])

7.56K Posts, 1.11K Following, 7.48K Followers Β· Software developer, entrepreneur, former government regulator, current government advisor, amateur scientist.
 https://berthub.eu/

Fosstodon
Show threadbert hubert πŸ‡ΊπŸ‡¦πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦
@benjojo @Viss (for my part, I was mostly in vehement agreement that we are shipping ever more (indirect) dependencies. The scrutiny may have improved but 'npm install' remains a sight to behold)
Mar 31, 2024 at 10:18pmWeb
Show threadVissMar 31, 2024

@bert_hubert @benjojo this is a systemic problem that goes beyond npm and xz. its how opensource is handled *waves arms* everywhere. the mechanics of it all.

we keep finding ourselves in a situation where "one dude makes or breaks the internet" and nobody seems interested in solving that issue.

Show threadbenjojoApr 1, 2024
@Viss what solves that issue?
Show threadVissApr 1, 2024

@benjojo global politics resulting in information and deception warefare spilling out onto social media and entrenching itself in the broad systemic issues and misalignments is not something you fix in one toot.

its a shitload of problems that everybody knows about, which nobody is fussed enough about to fix, which all attract bad actors and are now bad enough they can be harnessed by governments to be used as plumbing for whatever they happen to need at the time.

which right now is spying