fG!3d ago
Axios maintainer pwnage is fucking peak incompetence. Critical shit is on the hands of fucking idiots. How the fuck are these guys not having separate computers for different tasks? Seriously... Or a fucking VM for the crap... Tech is available, tech is cheap. Everyone is a fucking moron... Damn...
Show threadChris Adams

@osxreverser That's not even remotely near peak. Yes, they could have done better but … nobody is buying them a separate computer to use for stuff like this and if it's a side project they're not looking for more friction.

We have this conflict all over the open source world. We could really use a well-trusted organization (CNCF, Apache, Linux, etc.) making a major effort to help maintainers adopt trusted publisher build workflows, for example, but that wouldn't be cheap or fast.

Apr 3 at 4:45pmWeb
Show threadfG!3d ago
@acdha Virtual machines are dirty cheap. There is no excuse. People are just incompetent and the whole thing is ridiculous the more you read into it. It can't just be fame and github stars, the increased responsibility demands increased friction, security and better processes. Otherwise it's just stupid risk everyone is taking, assuming the other side is able to behave reasonably secure.
Show threadschrotthaufen3d ago
@osxreverser @acdha People are *very* lazy. Any kind of friction at all is only ever accepted after unjustifiably expensive damage was done. When it comes to extra steps for themselves, even people with a phd in infosec forget how to calculate risk.
Show threadChris Adams3d ago
@osxreverser I'm aware VMs are cheap, but they're not magic. Stuff like the Trivy attack would've gotten any credentials shared inside the VM so you still need to work on the harder problem of friction. The Axios attack either would have popped the host or, if he tried to use Teams inside the VM, would have gotten all of the exposed credentials there which likely would have included their GitHub / NPM cookies if they thought they were working with a collaborator.
Show threadChris Adams3d ago

@osxreverser I'm not saying there's nothing they could have done better but that there are multiple hard problems here, none of them have easy solutions, and going around attacking OSS maintainers for not doing their unpaid labor the way you'd like is going to turn away more people than it helps.

What does work is better tools: e.g. what would it take to get to the point where most OSS maintainers have to tap a Yubikey each time they publish a release? (better, where you need n>1?)

Show threadfG!3d ago
@acdha Unpaid labor is bullshit argument, sorry. It has nothing to do with following reasonable procedures to protect themselves and their users. Pushing code and risking everyone's security just for the sake of pushing code makes zero sense, paid or unpaid. What's the problem of tapping a Yubikey? Yes, it's annoying (I know it!) but it's the proper way to have speed bumps that solve enough problems. The world is different, people need to act different. Trust is way too cheap these days.
Show threadChris Adams3d ago
@osxreverser look, I get it, there are ways to prevent this. I'm just saying that if you dismiss the real reasons why people don't upgrade as “bullshit arguments”, you're not going to accomplish very much. If that worked, we'd have known decades ago because people have been trying shaming as a motivational technique since the beginning of open source and it's had very little success.
Show threadJA3d ago
@acdha @osxreverser In my opinion, we should stop expecting developers to know everything about infra. It just doesn't work for vast majority of developers. They like and want to write code, they should focus on that. The release pipelines and all other bs should be managed by other (paranoid) specialists.
Show threadfG!3d ago
@caspicat @acdha It's not infra, it's basically security processes for someone whose code has millions of downloads. There is no such thing as just writing code and everything else is not my problem. Otherwise long live LLMs and developers can just fade out.
Show threadfG!3d ago
@acdha People don't upgrade security because they are lazy and don't care, outsourcing those problems to others under the bullshit excuse of free work. If people want to release software used by millions they need to care about the security of said software, otherwise accept the shaming and the downside when they fuck up badly and put everyone else at danger because their incompetence or "I don't care" attitude. It's simple. Or just clearly declare "I don't care about security".
Show threadfG!3d ago
@acdha You get a VM per task. A VM to use zoom/teams/slack for unknown stuff should be mandatory. Segregation is not a new concept. Yes, it increases friction but that's exactly the way it protects against this kind of crap. People can't keep sharing important resources, they need at least some segregation. VMs aren't invincible but they would solve most of these problems and introduce extra attacker friction.