undefined | Better HN

0 pointssethvargo6y ago0 comments

The goal was not to disrupt ICE, Chef, or any organization thereof. The goal was to remove my code from an ecosystem that was using it for purposes I perceive as evil. I had no goals of disrupting ICE operations or Chef operations.

I suspected a small percentage of people with a hard, runtime dependency would be impacted, but I did not know Chef (the software) had a hard runtime dependency and was pulling that dependency from public RubyGems instead of a mirror they control.

0 comments

temac6y ago

Besides the political statement, do you have any technical opinion about an organization such as Chef shipping things that have runtime deps to third parties?

sethvargoOP6y ago

It wasn’t a political statement. I have a few thoughts in general. These aren’t specific to this situation.

First, always minimize runtime dependencies. I personally prefer compiled things for this very reason.

Second, if you’re going to include a third party dependency, how are you auditing it? There’s an unexplored area around security here too. The Node.js ecosystem has had a series of incidents where popular packages have had cryptocurrency miners injected into otherwise helpful packages. If you’re depending on third party runtime dependencies: how are you auditing changes and contributions, how are you scanning for vulnerabilities, how are you patching those vulnerabilities if you don’t have an internal fork upon which you build?

Third, RubyGems is a volunteer-run organization. I believe other software ecosystems are similar. From my understanding of the situation, a RubyGems outage would have had similar effect.

kortilla6y ago

Compromised third party libs are absolutely not “an unexplored area around security”. It’s a super well-known threat.

1 more reply

autotune6y ago

What are your thoughts on Golang?

2 more replies

j / k navigate · click thread line to collapse