undefined | Better HN

0 pointsmetaengies2d ago0 comments

Actively destructive opinion article. I could not begin to understand the rationale.

It takes 45 seconds to go check how old the copyfail and dirtyfrag vulnerabilities actually are. Which is longer than it takes to read TFA. Dirtyfrag may be relevant to systems from as far as 2017.

It's not "new" software being affected. And actual old software is in a much worse state because we had a lot more time to find their problems.

0 comments

smallpipe2d ago

OP is suggesting that a supply chain attack would be bad now, and to reduce that risk by not installing/updating NPM packages.

pocksuppet1d ago

FYI copyfail and dirtyfrag are the same vulnerability activated by two different code paths.

It's as if Windows had a vulnerability triggered by writing a certain string to a file. Copyfail is to write the string to a file. Dirtyfrag is to get another program to write the string to a file. When you fix the vulnerability - make sure nothing strange happens when the string is written - both go away at the same time.

j / k navigate · click thread line to collapse

0 comments

smallpipe2d ago

OP is suggesting that a supply chain attack would be bad now, and to reduce that risk by not installing/updating NPM packages.

pocksuppet1d ago

FYI copyfail and dirtyfrag are the same vulnerability activated by two different code paths.

j / k navigate · click thread line to collapse