Supply-chain attacks on open source software are getting out of hand arstechnica.com 5 points by _tk_ 2 days ago
bell-cot 2 days ago The article's final call to action:> Developers working with open source packages should:...followed by 5 bullet points of laborious to-do's, to try to minimize the risk from each of the open source packages you're using.My take:- Aggressively minimize the number of packages you use. Any idiot can import 1M LoC in a minute. Competent dev's don't.- Be willing to re-invent some wheels. Especially when the alternative is importing wheel-lib v13.9.2j, along with its dozen or so dependencies.
The article's final call to action:
> Developers working with open source packages should:
...followed by 5 bullet points of laborious to-do's, to try to minimize the risk from each of the open source packages you're using.
My take:
- Aggressively minimize the number of packages you use. Any idiot can import 1M LoC in a minute. Competent dev's don't.
- Be willing to re-invent some wheels. Especially when the alternative is importing wheel-lib v13.9.2j, along with its dozen or so dependencies.