The funny thing about phrases like that is that they often get repeated despite being devoid of factual content.
We should indeed keep an eye out for the defunding of medical research but as even a few quick numbers from the NIH (at least speaking for the US) show, it hasn't generally been getting less funding year over year right up to the latest numbers. All the opposite actually. Increases in funding have shrunk slightly, but that's not the same as defunding.
Similar stats apply almost globally in any relevant public funding context. After all, if there's one thing that everyone wants, from rich to poor, powerful or weak, it's to hedge against bad health and a shorter lifespan by whatever means available, and especially if those means involve throwing money that isn't even yours personally at something with publicity.. Even the most selfish politicians can usually get that through the fog of their self-interest.
Not really, app sec companies scan npm constantly for updated packages to check for malware. Many attacks get caught that way.
e.g. the debug + chalk supply chain attack was caught like this: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...
There's multiple security firms by now that constantly scan updated npm packages for malware. Obviously those companies can only do this after a new package has been published.
Npm could add this as an automated step during publishing.
Sure, there's a manual review needed for anything flagged, but you can easily fix this as well by having smth like a trusted contributor program where let's say you'd need 5 votes to overrule a package being flagged as malware
their actions are clearly not extremist, absolutely not perfect and not always equally democratic, but not extremist or violent like the actual extremists...
I do think the ambition to spy on all private communication to be quite extremist.
Especially Germany should know better. If you build two autocratic dictatorships on average per century, maybe start to take care that state powers are restricted.
The US is fully correct in its criticism of Germany regarding freedom of speech and house searches. Sure, on surveillance their arguments would be very weak...
Absolutely nothing positive will be gained by this surveillance, so there isn't even the smallest security benefit. On the contrary.
Again, I disagree, I wouldn't call it extremist. It's vile and wrong, but people all over the political spectrum are in favour of this. there's a difference between something being bad or self-serving, and something being extremist. Labelling everything as extremist does not help anyone, especially today when everyone is already highly divided.
No way I'm getting into the restrict state powers discussion as that is highly complex and not something that can properly be discussed on an internet forum.
I disagree, for me it is an extreme position that affects the lives of everyone because of diffuse security whims. At best, since the motivation could be entirely different.
We had that in Germany by extremist autocratic parties and these policies are quite a clear mirror.
"Scanning the communications of everyone" - Might want to let that go through your head again.
Hmm, sure, I can agree that the position is extremist, I still don't agree that 1 (or some) extremist positions makes the current people in power extremist. Or at least, maybe they are, but I think most of the alternatives are more extremist.
Politics are an inherently violent affair. The government is simply a monopoly on legitimate violence. Politicians decide the laws, which result in people breaking them getting beaten up & dragged to a cell. Not to say this is always a bad thing: some people cannot be stopped from misbehaving just by talking, but it definitely is violent.
I see this a lot and am not convinced. It appears reductionist in a way that feels like it's pushing an agenda.
Democratic governments clearly are about addressing community needs and coordinating efforts that require pooled resources (at least). I'm not denying there may be a monopoly on violence. However, in a democratic system, such a monopoly would be voted on, giving the monopoly some legitimacy (not saying it's necessarily moral).
Yet in reality, the US, for example, has the Second Amendment, which grants citizens the right to bear arms and form militias. That doesn't sound like the government has a monopoly on violence.
I guess the weasel word is "legitimate"? But is that legal or moral legitimacy (or something else)? By whose definition and arrived at how?
It feels like such a pithy comment, "a monopoly on legitimate violence", like it's expressing something deep. Yet I get the sense that supporting it requires some contortion of logic and language. Maybe I'm missing something but it doesn't seem self-evident to me at all.
Define "extremist". Many people would argue mass immigration is an extremist position but was the normal accepted position for the people in power within the European Union but was never a popular position with the populations of Europe.
So these so called <<right wing extremists>> represent the normal position.
on the other hand, the previous supply chain attack was found by automated tech.
Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.
Hi, I'm Charlie from Aikido, as mentioned above. Yes, we detected it automatically, and I alerted Josh to the situation on BSky.
There's no reason why Microsoft/npm can't do what we're doing, or any of the other handful to dozen companies that do similar things to us, to protect the supply chain.
Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates. This is how aikido was first to discover the previous supply chain hack.
I'm so sick of people saying this.
If you use js for any non-tiny project, you'll have a bunch of packages.
Due to how modules work in js, you'll have many, many sub dependencies.
Nobody has time to review every package they'll use, especially when not all sub dependencies have fully pinned versions.
If you have time to review every package, every time it updates, you might as well just write it yourself.
Yes, this is a problem, no reviewing every dependency is not the damn solution
