fsebugoutzone.org:9999

Post 1551213 by clacke@libranet.de
(DIR) More posts by clacke@libranet.de
(DIR) Post #1524790 by clacke@libranet.de
2018-11-27T06:04:45Z

0 likes, 0 repeats

&gt; The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6, published on September 8, included a benign module known as flatmap-stream. Stage two was implemented on October 5 when flatmap-steam was updated to include malicious code that attempted to steal bitcoin wallets and transfer their balances to a server located in Kuala Lumpur.Would you believe me if I said this happened in npm, where create-react-app 2.1.1 installs 1,770 dependencies? Yes, yes you would.arstechnica.com/information-te…/via github.com/dominictarr/event-s…/via twitter.com/garybernhardt/stat…

(DIR) Post #1524791 by clacke@libranet.de
2018-11-27T06:14:35Z

0 likes, 0 repeats

One of the commenters on the issue said something to the effect of &quot;[how do we know right9ctrl and dominictarr aren&#39;t the same person?]&quot;.Look. Listen. dominictarr is one of the good guys. He is core to ssb and he has been contributing oodles of packages to npm over the years. He has a reputation to uphold. This whole incident must be a huge embarrassment to him.I think it&#39;s totally understandable that he had lost interest in one of the packages, maybe considered it done, and then someone wanted to develop it further, so he gave it away. We should all be so lucky as to have people take over maintaining our baggage. What&#39;s disappointing is the attitude in the issue:&gt; If you guys feel strongly about this, why don&#39;t you volunteer to maintain it and contact npm support?If I woke up and heard that someone had hijacked some old package I used to maintain and used it to leak private information, I would start sweating and screaming and finding ways to fix things. But I don&#39;t know what he does away from the screen, maybe he is doing just that and failing to communicate it. Or maybe it&#39;s all just too overwhelming and this is his stress response. I could do that too, just cradle myself and wish it all to go away.

(DIR) Post #1524792 by clacke@libranet.de
2018-11-27T07:31:55Z

0 likes, 1 repeats

Dominic&#39;s response here:gist.github.com/dominictarr/9f…TL;DR: This was the first in a series of modules solving similar projects and he was done with and over it. He *has* done what he can to address the issue:&gt; As to this particular issue, I have emailed npm support and suggested that they give the module to @ FallingSnow and ar @ XhmikosRActually, he was originally doing what e.g. Rich Hickey was talking about in his keynote &quot;Spec-ulation&quot;(0) -- if you change the contract, change the name. Don&#39;t use semver, or at least skip the major. It was event-stream, then through, then pull-stream, now push-stream.I&#39;m not coming down on Tarr here, I&#39;m just thinking out loud about how we should deal with these things, the next time:Maybe at that point what you should do is lock things up and throw away the key. Or make the last version of the old thing a wrapper of the new thing, if at all possible. If you are not running a project with governance and succession, so that there is some continuity and trust, maybe the next person to come along really shouldn&#39;t ride on the name of your thing. Fork it and rename it instead, that&#39;s always available. Then if the new thing is actually better, people can vet it anew and use it if it does what it says on the tin.People were depending on event-stream, with an open-ended version specification, just in case there would be an update later. But there wouldn&#39;t be, because the improvement on the thing was the next thing. Maybe the last version should actually have been a version that just fails to build and says &quot;Look, you&#39;re welcome to depend on the old version, if it works for you that&#39;s fine. Just lock down the version. if you feel something is lacking, please address that in $NEXT_THING, because $THING is no longer maintained.&quot;.(0) Transcript with link to youtube video: github.com/matthiasn/talk-tran…

(DIR) Post #1524793 by clacke@libranet.de
2018-11-27T07:32:36Z

1 likes, 0 repeats

Side note: A repo full of transcripts of talks you enjoyed? What a thing! Thank you, Matthias Nehlsen, you are doing humanity a service.&gt; I wanted to study the content of some talks in written form but there were no transcripts available. However, I believe that the valuable and relevant content of these talks should be accessible to everyone, including those for whom ‘sit back and listen’ might not be the most viable option. To make that a reality, I had transcripts made.matthiasnehlsen.com/blog/2014/…I love you.

(DIR) Post #1547216 by clacke@libranet.de
2018-11-28T03:47:09Z

0 likes, 1 repeats

Metadiscussion of the gist on Twitter, if you&#39;re into that kind of thing:twitter.com/dominictarr/status…Tarr changing his bio to &quot;unrepentant module giver awayer&quot; is good fun, and I accept part of his point, but I&#39;m still not comfortable with the attitude.

(DIR) Post #1551212 by moritzbuhl@bsd.network
2018-11-28T09:32:06Z

0 likes, 0 repeats

@clacke Just to continue in a point here, I am not serious but:how do we know right9ctrl and dominictarr and you aren&#39;t the same person?

(DIR) Post #1551213 by clacke@libranet.de
2018-11-28T09:54:52Z

1 likes, 0 repeats

Yes, well, how do we know anything really. All three of us could be a dog.

(DIR) Post #1551217 by clacke@libranet.de
2018-11-28T06:14:39Z

0 likes, 0 repeats

Tidelift obviously use this chance to drive home their message, but it&#39;s a good summary of the issues nonetheless:blog.tidelift.com/event-stream…

(DIR) Post #1551218 by alcinnz@floss.social
2018-11-28T06:57:29Z

0 likes, 0 repeats

@clacke I wonder: Is it easier to vet one massive dependency (which I am doing) than uncountable little ones?Though for me throw a small handful of small dependencies in too, and if I feel up to it an entire OS.

(DIR) Post #1551219 by clacke@libranet.de
2018-11-28T07:15:56Z

1 likes, 0 repeats

When you have 1000 transitive dependencies, there is no tooling to give you a unified diff from one lockfile to another, so there&#39;s that. Also, if you bring it down to trust, with fewer dependencies you have fewer people or projects to have an opinion of.