The Seven Voyages Of SteveEvery week there’s an article about the high vulnerability of package managers to supply chain attacks and I’m just amazed it’s taken this long for people to figure out that routinely auto-pulling 500 disparate third party libraries unseen into your project is a terrible idea
I remember back in my MacOS dev days being told that I should be using CocoaPods and when I told them that was a stupid idea (I had like 3 dependencies and regularly poked around in the source for all of them) I was the old fashioned old man. “But it automates all the updates!”. So what? There’s 3. a) I don’t need it, it’s super easy to pull changes from source and b) when I do it manually I actually *look* at the updates like a sane person would https://arstechnica.com/?p=2034866
Of course there’s no reason you can’t use automated package managers *and* do the kind of due diligence a responsible developer would do when pulling code from third parties into their project, but I don’t think I’ve ever seen anyone do this. Instead it seems normal to implicitly trust anything that comes out of a package management system no matter who controls it and that’s always been wild to me.
Kevin Granade has moved@sinbad at Amazon they *ONLY* did source imports of externally authored package revisions.
Any time a new package or a new package version was imported, there was an engineer with their name on it.
These packages were also visible to oversight and auditing, so if a vulnerability was discovered the affected versions could be marked appropriately and migrated off of.
Now I'm at Magic Leap and it's similar, we don't just bump dependency versions, they're all manual (mostly via git submodules, ugh but I digress) or hard forked into our local repositories.
I can't IMAGINE bring ok doing this any other way.
@kevingranade I’m glad it’s done properly in some places
@sinbad the crazy thing to me is most package managers have some kind of local proxy system you can set up to do the same thing, you don't have to build a whole system to do this crap yourself.
That applies a lot more for a corporate environment with lots of shared dependencies between projects rather than a single project, in that case I totally agree with your point about "enough dependencies to need package management is too many to safely consume".
@kevingranade I can definitely see a working model at scale where the only packages you *can* pull are those in a private library which has a dedicated team vetting it
arclight@sinbad @kevingranade It works for us, more or less. We deal with Export Controlled Information (ECI) on a regular basis so beyond basic security, we have fairly strict rules on the licenses of third-party libraries. There's some code we can't share publically without going to jail.