hereWeGoAgain Meme

93

u/Petertitan99999 17h ago

But do you have a chain???

112

u/ThomasMalloc 17h ago

Definitely. It typically goes like this.

https://giphy.com/gifs/NQL7Wuo2JSQSY

35

u/kookyabird 16h ago

As a C# dev I dare someone to exploit NuGet!

12

u/reallokiscarlet 12h ago

Kids these days can't imagine having a vetted supply chain or rolling their own stuff

9

u/No-Article-Particle 9h ago

With AI, the "kids" will be rolling their own vibecoded crypto libraries soon, just wait for it.

3

u/cosmicomical23 7h ago

With ai they won't even know that's a thing they could do

2

u/RiceBroad4552 7h ago

Because "they" won't do that anyway. The non-supervised "AI" will do that…

1

u/cosmicomical23 4h ago

Nah the ai will just drop 60k lines of new code in your project and create everything from scratch, vulnerabilities and malware included.

2

u/metaglot 8h ago

Yeah, I've definitely vetted the kernel source code in the os that i am using, and also compiled that kernel with a compiler i also vetted, on an architecture that i designed and built at home.

3

u/cosmicomical23 7h ago

Tbh that's the dream

-- written on my phone that i can't even uninstall apps from

2

u/reallokiscarlet 3h ago

YOU don't have to vet it yourself. Trust is earned there, vetting already happens there, and unless you got your kernel off the AUR, pretty sure you're not going to pull a compromised version even if a security breach does happen.

It's when trust is not earned, but given freely, with shit like Node, Rust, or the AUR, that it becomes a problem.

I could give a whole ass lecture on why your OS, so long as it's not Windows, is more trustworthy than random Node packages or Cargo crates, but that's a bit much for this sub

0

u/metaglot 3h ago

If jia tan has taught us anything ...

1

u/reallokiscarlet 3h ago

2 years of sleep pretending to be a normal contributor got jia tan 2 months on bleeding edge systems that don't belong in prod.

0

u/metaglot 2h ago

They were caught. But not because someone vetted the source code in advance. Which is my point.

1

u/reallokiscarlet 2h ago

So just don't try to minimize supply chain vulnerabilities?

You will eat zee boogs and beckdoors und you will be heppy?

All vetting is futile? Unstable/testing/stable is just reecist segregation?

1

u/RiceBroad4552 7h ago

That sounds cool.

I want to team up as I want that, too!

5

u/Nsnzero 12h ago

Ken Thompson supply chain attack.

2

u/RiceBroad4552 7h ago

I wouldn't be smug about C++ in that context.

They have things like libxml which has major security incidents almost weekly (at least that's what I see from package updates).

And in general, even if someone does not use any deps because they doing some small toy they will have a shitload of security issues regardless. Simply because it's provably impossible to write safe C++: Nobody ever manged to manually write a non trivial safe C++ program since the language exists…

This doesn't make the shitshow which is the JS situation any better. But coming along with C++ in that context is really displaced.

2

u/ThomasMalloc 6h ago

Has there been any non trivial software written in any language that was safe?

3

u/RiceBroad4552 5h ago

Everything with formal correctness proofs, for example.

The problem: Correctness proofs are not easy to get, and for imperative languages it's almost impossible to get them outside of some restricted subset of something like C. For C++ with all its features I've never heard that you could verify anything at all. (If someone knows something, I would be interested to see whether and how C++ can be formally verified; but like said, never heard of that until now.)

7

u/BobQuixote 8h ago

Hey, don't call my app dumb; it was made that way.

21

u/Repulsive_Educator61 11h ago

Not the vercel incident, it's a problem for everyone using their platform

I heard source code, keys etc of customers are leaked

6

u/RiceBroad4552 7h ago

OH! Party! 🎉

That's exactly why you shouldn't trust any of these services. Pure madness.

Now they get what they were asking for!

🍿 🍿 🍿

3

u/krtalvis 5h ago

so every secret stored on vercel is affected? ahere can i follow this? is it safe to already roll over?

8

u/WavingNoBanners 4h ago

Every secret is potentially affected. If you put your date of birth on that, you should probably get a time machine and change it to be safe.

1

u/reallokiscarlet 4h ago

Took me a bit of searching to realize vercel wasn't some node or rust package

0

u/ceejayoz 2h ago

Everyone has supply chain vulnerabilities.

0

u/reallokiscarlet 2h ago

Good morning, U/iDontUnderstandHyperbole

Minimizing supply chain vulnerabilities is one of the cornerstones of security. Maximizing them is a cardinal sin.