"Package managers" like cargo, npm, gems, etc. are all security nightmares waiting to happen. Their existence is the result of a culture that enshrines speed, laziness, and selfishness. As a result, these things will continue to happen, and I reckon nobody will care.



@roadriverrail I don't see it this way.

I was quite active in the NodeJS community 2013-2019. npm was delightful to use: you could just publish your work, without needing to bow to any authoritative or bureaucratic process. It was largely friends sharing code with friends. I knew almost all of the authors in my dependency tree.

You'll also notice that there are no attacks listed on Drew's list before 2016. I think Node getting bigger in the corporate world was a factor, and that the leftpad incident kinda clued people to the fact that you COULD do malicious stuff with your packages.

Anyways, I'm sad you think I'm part of a culture of laziness & selfishness. That's definitely not my experience.

@tty You, personally, may have had nothing to do with it, and if npm were purely for sharing code between trusted parties, there'd have never been a problem. But "you can just publish" does privilege speed and personal satisfaction over the externalities generated, and somewhere, somehow, some people decided the right thing to do with those externalities was to just keep on passing them down the line.

Whether or not you were part of that, I don't know. But I do know it happened.

@roadriverrail Sorry you feel that way. :/

I really do think it's a matter of scale. A small group of friends sharing food is cool & doesn't need policing, but once you hit a big enough scale of food sharing -- especially if money becomes involved -- somebody is going serve some undercooked food & give people food poisoning, and then some authority-driven system is going to swoop in and lock down the whole process.

@roadriverrail npm's utility came from being able to share code with the rest of the community in a low-friction manner. People with bad intentions took advantage of that.

@tty And, yo, it's possible that the result is your own work has been exploited as a result, so this again is not about you. I'm from a time when it was normal to check out the CVS of a project and build it and have a franken-distro as a result. It's just that this is not a safe way to then share things with the broader world.

I've had multiple situations in Python and Rust where, when I merely wanted to write a small app, I was subjected to system-breaking levels of inside baseball.

@roadriverrail This seems like a parallel argument I've seen made of open source, where people will get upset that maintainers aren't providing professional support for their code they wrote & gave away for free. It's this, like, clash of two very different mindsets & expectations, which I think is also playing out in this conversation?

I see people sharing their work for free, not unlike putting it up on their git page for others to see / enjoy as they see fit, without expectations. From a business or perhaps even software developer who sees others' code as a service or good, I could see it feeling frustrating to have those goods come with issues like malware or low-quality attached.

I've certainly become accustomed to expecting a level of quality & safety from the packages I install from my linux package manager. I don't think I went into using things like npm or AUR with the same expectations though, and if I did, I can understand how it'd be painful to get burned.

@tty You're right that these are related conversations, but to be clear, I do not blame Some Person for writing Some Package. I blame a process that buries it as an opaque dependency someone else takes on unwittingly. I also am furious with a mentality from the Rust/cargo system, where the Rust you get via your distro is never sufficient to compile the dependencies you'll take on, forcing you to circumvent the checks a distro provides. This is fine for funsies, not for professional work.

@roadriverrail I've seen that kinda thing with node packages, where the distro PM tries its best to contain all packages within its borders, but I've heard it's a total nightmare for the distro packagers.

Sign in to participate in the conversation
Sunbeam City 🌻

Sunbeam City is a anticapitalist, antifascist solarpunk instance that is run collectively.