So what do we do? I really think something like Firejail must be the way to go, but it's absolutely not ready for user-friendly prime time. And what do you do on macOS, or for every little tool like `ls` (where I want say filesystem access but not network).
It all seems a bit hopeless, I refuse to believe anyone who claims to audit everything and every update - and would they have caught xz's backdoor anyway?
Ultimately, enough money/political capital will be lost such that the deciders will move towards Capability-based security[0] stances... oh, who am I kidding? It'll just be the Certification Game round NaN.
[0] That really is the only fail-closed way to do it. Everything else is theater... good theater, but theater.
EDIT: Btw, I do not mean to be dismissive towards lower-level/higher-sophistication security issues like side-channels, etc... but that's peanuts to ordinary Bad Guys. (Nation states might be more interested in advanced things). Most Interweb Bad Guys use very simple techniques, like bad writing in a scam email.
my 2 cents are that it is not theoretically possible to handle and actually fight the problem of _too many dependencies_. we all need them to move quickly.
But, there must be a balance.
remark: just look at the FE framework / packages world (eco system), this is too much, and most are not needed.
That's clearly insufficient (this doesn't want to be an attack). Sadly even the best intended developer can get their machine corrupted and as a consequence poison huge chains, unfortunately.
It's more like a "hope to" than an actual solution
Agreed. Next step, it'd be just great if most open source software (and presumably most non-OSS code, although that's harder to determine) didn't pull in half the internet as mostly pointless dependencies. While we're at it, it'd be sweet if major OSes like Windows and most Linux distros would move to a threat model of "machine is used by one or more users who each want to safely run untrusted code without risking their own files, safety or privacy" instead of the old "machine is shared by many users and our main concern is guarding them against each other" model.
How does one actually avoid this? e.g. Say your boss needs you to make a react native app - you start their default project, pull in a few Expo libraries for core functionality. At that point there are hundreds of third party libraries that are being pulled in that you can't realistically vet.
But how can we be productive as programmers without blindly copypasting random stuff from the Internet?
...well, I guess if your project is mostly about its internal business logic, not interacting/integrating with the wide world via the loads of weird and poorly implemented protocols and points, then you could be. But is this where the money are?
Also I read the article just to see if that poor grammar was directly copied and pasted from it, and to save anyone else the time, it was. The article wasn't proofread. Just made as clickbaity as possible and posted.
It all seems a bit hopeless, I refuse to believe anyone who claims to audit everything and every update - and would they have caught xz's backdoor anyway?