Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries
“Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking..” reports BleepingComputer.
“The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that … ⌘ Read more
Whaaaaatttt?! 😱 Why?! 😳
@prologic@twtxt.net let’s introduce politics into the conversation https://apenwarr.ca/log/20211229
@movq@www.uninformativ.de That’s actually not a bad thing though. Static linking has its advantages really and the belief that dynamic linking makes security patching easier is really quite rubbish.
You are right though it all comes down to how good your processes are (or not)
Read this @eaplmx@twtxt.net:
Is There A Way To Prevent Psychopaths From Getting Into Positions Of Power?
@movq@www.uninformativ.de Your right, neither Rust nor Go work that way. They use (or at least in Go’s case, I’m not sure about Rust to be hoenst) Git really as a way to fetch packages. The plus side of this is you get all the nice benefits of Git
politics is a really complicated topic, to not say dirty. Needed but dirty at the end, so we delegate that kind the people to manage the public life.
That oversimplification said, we are surrounded by power, violence, rights violations and such. Simple fixes for complicated problems don’t work, and the last question is: What are we going to do as individuals and as a community?
@eaplmx@twtxt.net We can start with us, treat each other with respect and decency. That’s a good start 👌 Listen to one another, have empathy and compassion. 🤗 These are not difficult concepts 😂
@movq@www.uninformativ.de Yeah I get your points. I used to maintain hundreds of packages for the CRUX distro once upon a time, so I get it. Your points about having a “2nd pair of eyes” are somewhat valid, but I say that because I’ve been a maintainer myself, we don’t often do the “right” things as a maintainer and we sometimes get sloppy/lazy….
@movq@www.uninformativ.de I think overall there are two issues at play here we can agree on, whether or not it’s “managed” by a distro (I think that’s kind of irrelevant here, I use/develop on macOS for example and use brew
but I don’t want my deps to come from Homebrew uggh yuck) – Anyway There are two issues I see:
- Supply Chain – Being able to vet, validate and verify everything that goes into a piece of software or product/service
- Library hygiene – Being prudent about libraries as a Library author and reducing or eliminating “transitive” dependencies.
@prologic@twtxt.net I would say empathy and compassion are extremely important and really difficult to grasp and practice!
That being said, in this group/community/organization/oasis/bunch_of_people, I really appreciate having it!
@eaplmx@twtxt.net Yeah I agree! 👌 One of my greatest hopes is that as Yarn.social continues to grow, that each Pod and it’s Pod Owner/Operator (we seem to be calling Poderator thanks to @ullarah) will create and nature small communities. The “network” as such will basically be an interconnected network of Yarn pods + Twtxtv2 feeds.
@prologic@twtxt.net Smoot Poderator 🎶
Poderator is brilliant! Reminds me of the Podcast and the concept of Pod itself, Ham radio and such.
@eaplmx@twtxt.net My only gripe with the term “Poderator” is it’s too close to “Moderator” but oh well 😅
@prologic@twtxt.net Haha, Godperator then
@eaplmx@twtxt.net LOL even worse 🤣 🤦♂️ So no 🤪