-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add lesson learned from polyfill.io #559
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
Co-authored-by: Chris de Almeida <[email protected]> Signed-off-by: David A. Wheeler <[email protected]>
I wouldn't say "supply chain" on just this item. There are many supply chain attacks, and this is only one kind. If we single this out with the term "supply chain", I fear people might think they're identical. |
Signed-off-by: David A. Wheeler <[email protected]>
I actually backtracked on that and had removed my comment, but I guess there was a race condition :) |
@ctcpip - no problem! I merged in your improvement, & made a few more tweaks. I think it's better, thank you! |
Sometimes inclusion across domains really *is* what you want to do, and the risks are reasonable, so back it down a little from "never" do it. Signed-off-by: David A. Wheeler <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i thought we all learned this 10-20 years ago, but apparently not :-p
ljharb said:
Hehe. I think the problem is that new people keep showing up, and instead of learning from the past, they presume that the past has nothing to teach them. The past has very brutal ways to show otherwise :-(. |
The malicious attack on the xz utils slipped through many defenses because the "source" package included pre-generated malicious code. This meant that review of the source code (e.g., as seen by git) couldn't find the problem. This proposes a best practices to counter it. The text is longer than I'd like, but it's hard to make it short, and this was a worrying attack so I think it's reasonable to say this. We'll probably need to renumber this proposal if we also add the proposed text to counter attacks like polyfill.io: #559 ... but I think that's okay! Signed-off-by: David A. Wheeler <[email protected]>
No description provided.