Actually you might be pulling a bunch of malicious updates in 2-3 modules deep in your dependency tree anytime.
As a society we should be moving away from a culture of “immediate” updates eg on Twitter etc. And go towards more “peer review” like in science. Otherwise we are putting responsibility on every individual to verify all sides of the story and get informed. They don’t and society gets more and more dicided. Imagine if a scientist tweeted at 3am and half their followers instantly believed them. Or if an open source contributor’s pull request was instantly accepted and pulled overnight by everyone. That’s why USA and other countries are now so divided politically. Individual responsibility of 100% of the downstream nodes is strange to outsource responsibility to.
I wrote about this back in 2012 predicting what would happen:
Recently I wanted to build one of Signal’s libraries so that I could use it with signal-cli. It astonished me that building this secure messenger requires automatically downloading a whole host of third-party dependencies through wget from some disparate repositories, which presumably had received little vetting.
What happened to the notion of using stable, centralized package repositories like Debian’s or Red Hat’s in order to build one’s software? I did a lot of Free Software development in the early millennium, then was away from the scene for a few years, and when I came back this desire for convenience above all else really baffles me.
At Qbix, we have built everything in-house and the few dependencies that we do pull in, we vetted and pinned the versions. People have criticized us for that in the past but if we are ever to get past trusting large, centralized entities for our server back ends, we need to make sure to kick the open source movement to the next level:
I'm now framing the problem as "inauthentic speech".
> ...go towards more “peer review” like in science.
Ditto journalism and reporting.
This is a universal problem. The core solution remains the same.
Cite your sources
Show your work
Sign your name
WRT John Walker's screed, I really thought certificates and web of trust would have become the norm by now. Anything unsigned would be treated as gossip or worse. Certs could be revoked as needed.
Further, every trusted digital relationship would start with a key exchange. Vs relying on username and password. eg Banks would issue me a Secure Enclave of some sort, like a USB fob.
I'd like to understand why this didn't happen. My best guess is "Worse is better" enabled predators and parasites. Which has been acceptable during the gold rush.
Package managers are nice for the lazy, but then we get stuff like this:
https://qz.com/646467/how-one-programmer-broke-the-internet-...
Actually you might be pulling a bunch of malicious updates in 2-3 modules deep in your dependency tree anytime.
As a society we should be moving away from a culture of “immediate” updates eg on Twitter etc. And go towards more “peer review” like in science. Otherwise we are putting responsibility on every individual to verify all sides of the story and get informed. They don’t and society gets more and more dicided. Imagine if a scientist tweeted at 3am and half their followers instantly believed them. Or if an open source contributor’s pull request was instantly accepted and pulled overnight by everyone. That’s why USA and other countries are now so divided politically. Individual responsibility of 100% of the downstream nodes is strange to outsource responsibility to.
I wrote about this back in 2012 predicting what would happen:
https://magarshak.com/blog/?p=114