[conspire] People failing to learn about package gatekeeping, part 1
Ivan Sergio Borgonovo
mail at webthatworks.it
Sun Apr 17 15:30:07 PDT 2022
On 4/18/22 00:09, Rick Moen wrote:
> Quoting Syeed Ali (syeedali at syeedali.com):
>
>> Not to get into it, but I know at least one of them that worked
>> to trick it's users (software developers) to make a certain
>> legal-social agreement.
>>
>> Actually I can think of three.
>
> That's happened a bunch of times, most recently with an npm package,
> node-ipc. (Again again.)
[self quote]
Of course there are communities of developers that are more susceptible
to incorporating rubbish in their projects since they tend to lack a
culture of software ecology incorporating everything that seems to fit
at that time in their project without a long term view and security
awareness.
[/self quote]
I was thinking if recent incidents with python could be related to the
proliferation of "data scientists" and interest in deep fakes.
I admit I was too lazy to check if the trojanized packages were somehow
related.
--
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net
More information about the conspire
mailing list