From 0c65633d3466d85824d73ceea391c66da4af5936 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Joann=20M=C3=B5ndresku?= Date: Thu, 22 Sep 2022 21:19:47 +0300 Subject: [PATCH] fixes --- ...supply-chain-attacks-industry-never-learns.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/posts/supply-chain-attacks-industry-never-learns.md b/content/posts/supply-chain-attacks-industry-never-learns.md index a7a828b..6d2a9c9 100644 --- a/content/posts/supply-chain-attacks-industry-never-learns.md +++ b/content/posts/supply-chain-attacks-industry-never-learns.md @@ -35,25 +35,25 @@ in performance, security and code quality by creating a lot of those said depend is becoming a much more versed programmer. Another solution is to fork the dependencies if you do need them, **audit the code of what you're going to be using**, -use **direct verifiable links rather than just package name** and if the package manger supports any form of hash checking +use **direct verifiable links rather than just the package names** and if the package manger supports any form of hash checking or other means to do so, use it! Which brings me to another point, the way a lot of current registries work are on blind trust basis - you trust the registry -to retrieve you code by a simple prompt - the package name and version, you do not ask for any hash verification, neither do you +to retrieve you the code by a simple prompt - the package name and version, you do not ask for any hash verification, neither do you ask for means to verify the author. You can't even be sure that package v0.0.1 is the same thing as it was a week ago, because that -data can be overwritten by the package author. There are so many clear design flaws with these package managers that are essentially -dumb downloaders without any regard to safety. +data can be overwritten by the package author. There are so many clear design flaws with these package managers that are essentially nothing +more than just dumb downloaders without any regard to security. -Even the simplest sha256 check would improve the situation, if nothing else. ReactOS Applications Manager is a lot more secure +Even the simplest sha256 check would improve the situation, if nothing else. The ReactOS Applications Manager is a lot more secure by design compared to all of the afforementioned package managers just by the hash check alone. ## Okay, but how does the industry "never learn"? Simple, the package managers are still growing in popularity, there is no blowback, new developers are still being lead to use NPM, PyPi, Rust crates, public CDN CSS/JavaScript libraries, etc. There is no practice of auditing the code you are pulling at all. -The industry is increasing their bet on blind trust to save a penny in developer hour cost to achieve their desired result. +The industry is increasing their bet on blind trust to save a penny in developer hours to achieve their desired result. In this industry, money speaks, so reducing costs by using fewer developers and shortcuts with these package managers is going to -be the standard going forward. Maybe this will one day change with more rapid supply chains that cost companies millions or more per -year in ransoms. +be the standard going forward. Maybe this will one day change with more rapid supply chain attacks that cost companies millions or +more per year in ransoms. ### Hater. -- 2.25.1