undefined | Better HN

0 pointsjrockway3y ago0 comments

With no data, I'm assuming this is all business-driven. Nobody is compromising software supply chains to make your 3D printer print 8% slower for the lulz. They're doing it to hack companies and compromise user data. If open source was just hobbyists making stuff for hobbyists, it might not even require a login to update a package. With companies involved, they to reduce this risk, and this comes at the cost of people not involved with the company's business. I can see why authors get annoyed; they are being required to change their workflow for a use case that doesn't interest them. Being asked to do boring work for free is not a great solution to anything.

Personally, I don't have a horse in this game. I always use 2FA when it's available. I have already made the necessary adjustments in my workflow. But I get why people are annoyed that they have to change something. Imagine that this was "we'll send you a check for $1000 if you enable 2FA on your account". Bet there would have been zero angry blog posts.

0 comments

3 comments · 3 top-level

tveita3y ago

> With no data, I'm assuming this is all business-driven. Nobody is compromising software supply chains to make your 3D printer print 8% slower for the lulz.

As far as I know common targets for malicious packages are crypto (mining, wallet swiping), and credentials (SSH, package repositories), none of which is limited to businesses. There's been some cases of politically motivated sabotage lately but mostly from the maintainer themselves so far - expect more of that though.

Often a compromised package will try to steal more credentials from downstream users. [1] I don't doubt that threat actors all the way from script kiddies to nation states are keeping a stash of credentials to package repositories, and it's going to suck for everyone when they decide to use them.

[1] https://www.bleepingcomputer.com/news/security/compromised-j...

giaour3y ago

> Nobody is compromising software supply chains to make your 3D printer print 8% slower for the lulz. They're doing it to hack companies and compromise user data.

The high-profile NPM package compromises in recent years have mostly targeted hobbyists/been indifferent to who they were targeting. Crypto miner malware doesn't care what computer it's installed on.

tsimionescu3y ago

> Imagine that this was "we'll send you a check for $1000 if you enable 2FA on your account". Bet there would have been zero angry blog posts.

That is just entitlement on the part of some open source devs. PyPI is already providing a huge service for them: it is publishing their package free of charge. Furthermore, it is maintaining old versions, scanning others for vulnerabilities, replicating across the world, resolving dependencies etc. They have every right to ask anyone who is enjoying their completely free service to put in the minute amount of extra work required to set up 2FA.

Of course, anyone is also free but to want to put in that work, and so they can stop delivering their package on PyPI. Absolutely your right as an open source maintainer, and you have no one to answer to if that breaks some builds.

j / k navigate · click thread line to collapse