Filippo ValsordaLooks like the same poorly implemented Android CT library that broke a lot of apps a couple years ago... did it again 🤦♂️
https://github.com/appmattus/certificatetransparency/issues/143#issuecomment-2993688741
hashierAmongst other things, there's an open source software supply chain story here.
This Android library with 174 stars and one maintainer has taken down Monday.com, Eventbrite (!!!), UPS, Kraken, Lowe's, YBS, IKEA, Agibank, iFood, PagBank, pago.ro, and Udemy.
Again, this is the same failure mode that caused outages in 2023.
https://github.com/appmattus/certificatetransparency/issues/143#issuecomment-2993753426
Klaus Frank@filippo Tbh, that sounds like a software quality and review issue on the side of these platforms. They don't have the same excuse like random family/hobby blogs in that regard...
@filippo I've been building systems and processes to prevent exactly such issues at large companies (international but smaller than the mentioned ones).
It's also not really that hard. Most effort is on the side of needing someone to do the reviewing.
The rest is setting up e.g. an internal-only GitLab and creating an automatic pull-mirror (prevents history rewrites). Then you include it as git-submodule into your projects and each time you want to update to main again it has to be reviewed.
Sandor Szücs@filippo ähm, I don’t know what to say other than:
Well deserved!
Well deserved!
Irrsinn Hilft ⚾ 🏈 🏀 🏒Keiner von denen schreibt seine Webseiten/Anwendungen selber.
Es ist bequem diese und jene Bibliothek zu nutzen, die aber wieder Abhängigkeiten von anderen Bibliotheken hat.
Wer kennt alle Abhängigkeiten bis ins letzte Glied?
Ich meine niemand.
razze@IrrsinnHilft @filippo deswegen erstellt man ja inzwischen SBOM und wirft die in tools wie dependency track. Wir haben da harte Vorgaben in einigen Projekten.
I AM BANKSY ☕ / 🗑🔥@filippo
My favorite reply on that: "Who can we contact at Google regarding these issues?"
Contact at Google. Haha.
ltning@filippo No, absolutely no. The library (and by extension its maintainer) did not take down those sites. We should never use or accept language that even indirectly suggests this.*
Whoever took the library and used it without sufficient testing "took down" the sites. It only matters that the bug is old or obvious in that it *directly points out* how the company using the library failed to take the necessary precautions.
*It's the same kind of language that places blame on victims: "look at what you made me do"; other examples would need a cw..
Whoever took the library and used it without sufficient testing "took down" the sites. It only matters that the bug is old or obvious in that it *directly points out* how the company using the library failed to take the necessary precautions.
*It's the same kind of language that places blame on victims: "look at what you made me do"; other examples would need a cw..
butternut@ltning @filippo it’s like people skip right over the part in the license that says the software is provided AS IS, without warranty of any kind, including without limitation the warranty of fitness for a particular purpose! And that the software authors are in no way liable for any consequences arising out of your use of the software! (Paraphrasing MIT there because that’s what I know off the top of my head, but most licenses have clauses like those). No warranty and no liability means you don’t get to blame someone else when it goes wrong, and there’s no “supply chain” relationship formed.
Martin@filippo Best comment: 'If this library is so critical to your infrastructure, why are only two(!) people sponsoring it?'
And it is a good question.
Arian@filippo they did that themselves. Nobody forcing them to use this library. You're responsible for what you ship.
alina🐾💖✨🏳️⚧️
CONFIG.SYS: LOADHIGH@filippo Is it exceptional that Eventbrite was taken down?
Alex@filippo what's the source of this list of apps using this library?
@filippo ah probably from the email domains in the google issue https://issuetracker.google.com/issues/426786108 ? Interesting :-)
@self partially that, partially status pages, partially correlating Downdetector.
Paul Warren@filippo that's a shit take mate, maybe megacorps should not be lazy and actually understand what they're using and fund things like this to make it better.
Kristoffer 🍄@filippo You found a hammer in a ditch and proceeded to smash your face in. Now you’re in the ditch covered in shit and blood crying about how the blacksmith ”took you down”. You did it to yourself you worm
0x4d6165 (Julie)@filippo sounds more like a bunch of businesses were relying on unpaid labor and are mad now that their free code isn't perfect
CyberFrog@filippo imagine taking a piece of shit code built by some dude in a basement for free, who you can't even contact or speak with, and then putting it in the core of Monday.com, Eventbrite (!!!), UPS, Kraken, Lowe's, YBS, IKEA, Agibank, iFood, PagBank, pago.ro, and Udemy.
fucking dickheads honestly, no other way to say it, they're beyond idiotic and it's 👏ENTIRELY 👏THEIR 👏FAULT
the FOSS dev has done nothing except build random shit in their free time, maybe corporations shouldn't sell me services built on a Janga tower of garbage without a warranty
corporations can PAY to write their own fucking code, stop taking FREE shit and blaming individuals when it breaks your million dollar business, assholes
fucking dickheads honestly, no other way to say it, they're beyond idiotic and it's 👏ENTIRELY 👏THEIR 👏FAULT
the FOSS dev has done nothing except build random shit in their free time, maybe corporations shouldn't sell me services built on a Janga tower of garbage without a warranty
corporations can PAY to write their own fucking code, stop taking FREE shit and blaming individuals when it breaks your million dollar business, assholes