[conspire] People failing to learn about package gatekeeping, part 1
Rick Moen
rick at linuxmafia.com
Sun Apr 17 15:09:19 PDT 2022
Quoting Syeed Ali (syeedali at syeedali.com):
> Not to get into it, but I know at least one of them that worked
> to trick it's users (software developers) to make a certain
> legal-social agreement.
>
> Actually I can think of three.
That's happened a bunch of times, most recently with an npm package,
node-ipc. (Again again.)
https://www.reddit.com/r/programming/comments/th2log/big_sabotage_famous_npm_package_nodeipc_deletes/
https://medium.com/geekculture/the-darker-side-of-npm-42dedfe41aa4
https://n3x0.com/2021/07/21/malicious-npm-package-caught-stealing-users-saved-passwords-from-browsers/
There's also the hilarious case of npm package "left-pad" -- eleven
lines of extremely basic Javascript that untold numbers of big Node.js
npm packages depended on (for no better reason than the big package's
developer being too lazy to write a little function to pad out the
lefthand-side of strings with zeroes or spaces), when the coder of the
11-line function "un-published" it from the npm repository.
https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
That whole thing was embarrassingly incompetent.
Point is, this idiocy doesn't happen with distro packages.
More information about the conspire
mailing list