Gregory's Server@piecritic @danderson @philtor it looks like you think we are doing good enough and the luck here is not really luck but the system working as intended, although there are many levels where this could have been caught, it does seem like this one could easily have done a lot more harm before being discovered, and hoping we are going to get similarly lucky next time doesn't strike me as a serious plan (well, hope never is, anyway).
There might be others, currently exploitable, that we missed.
|
Top-level
 3 comments
@piecritic @philtor @danderson that I agree, but many people are depending on this lib, and surely we should be able to encourage them, and make it easier for them, to check that the changes make sense, distributors, applications builders, people adding this lib to their own project, should probably set some time aside for it, or companies themselves should dedicate resources to such audits, but clarity of dependencies, and resources to do the work, are needed. @philtor @danderson @tshirtman nah. That’s unrealistic. What is realistic is that projects assess the scope of risk of their dependencies and consider at what depth a dependency affects their systems, then considers the maturity and safety of the team maintaining it. This is what i do as part of my job. This is a social problem exclusively, not an economical one. |
@tshirtman @philtor @danderson there shouldn’t be dependencies that are used so broadly that it can affect the entire world that have one tired maintainer working for free. This is a deeper systemic issue and the system itself is working as intended given that constraint.