
Tracking down my strange program killer - azhenley
https://twitter.com/chrisparnin/status/1229927063295057920
======
jojobas
I wonder how many widely used github projects rely on cryptic "random small
packages from a pull request" that possibly introduce backdoors.

~~~
avetisk
The problem is that when you try to not do so, there’s a bunch who comes at
you with knifes at your throat: “it’s not our job to code and maintain this”.

Even something which would require 5 lines of code, they would install a
package.

------
rzwitserloot
For those who have been living under a rock in the past few years, relying on
a maze of dependencies has led to issues before:

* The event stream incident ([https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_st...](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/)), where are a very popular npm repo was maintained by someone who didn't want to do it anymore and handed the keys to the package (both on github and npm) to the first person who mailed with an offer to take over. That person proceeded to put in some bitcoin wallet stealing code. In a very creative way - if you haven't heard of it, I recommend reading a little more, it's an interesting story.

* The leftPad debacle ([https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/](https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/)), where a one-liner repo was removed from npm by its author, breaking almost all node.js projects. The solution feels... insufficient (you can now no longer just delete your project).

* This pull request to remove a one-liner dep: ([https://github.com/moxystudio/node-cross-spawn/pull/102](https://github.com/moxystudio/node-cross-spawn/pull/102)) shows exactly what happens when you try to fix such problems by removing one-liner deps.

There's a fundamental misalignment at work here: An open source maintainer
thinks (and probably rightly so), that they don't owe you a thing, if they
prefer keeping a one-liner dep, that's their prerogative, and it's not their
job to ensure their library is secure. If it is easier for you (the user of a
library) to ascertain safety if the one-liner dep is removed, that's nice but
the maintainer of the library doesn't care about that.

And at the same time, users of open source libraries, possibly buoyed by
statements such as Linus's Law
([https://en.wikipedia.org/wiki/Linus%27s_law](https://en.wikipedia.org/wiki/Linus%27s_law)):
"given enough eyeballs, all bugs are shallow" generally do think they can rely
on the maintainer for security.

Which one is it? We can't have it both ways.

You'd think in a language where monkey patching is somewhat common, such
concerns would be _more_ important, and yet it is npm where the community as a
whole is by far the most extremist in the sense of adopting dependencies,
compared to other ecosystems such as java (mavencentral) or ruby (rubygems).

------
boomlinde
Surprise: ”small random package” caused an issue in a Node project, and
”replacing [it] with simple init logic” solved the problem.

