I'd rather have a software commons and have tech be owned by the workers and not soul-sucking corporations, no matter the size.

If you are actually against the policy and suspect a lot of people are too, then don't silence your employees by keeping their feedback isolated to 1:1s which you admit are ineffective.

Executives need clear feedback to avoid making major mistakes.

Apparently they've tried to implement this in JavaScript but the language is generally too flexible to resist a malicious package running in the same process.

We need to be using different languages with runtimes that don't allow privileged operations by default.

Both producers and consumers of media are in the same boat of barely surviving. Maybe we can work with each other instead of against each other? :)

Comments URL: https://news.ycombinator.com/item?id=44001621

Points: 3

# Comments: 0

There are still many other ways that a dependency can be exploited before or after the build phase.

I'll believe that BNPL is good when all the companies become non-profits that use excess funds to cancel debts rather than lining the pockets of rich investors.

You may do a "docker build" in a pipeline which does need root access and network access, but when you publish a package on pypi, you certainly don't need root access and you also don't need access to the entire internet, just the pypi API endpoint(s) necessary for publishing.

Linux processes have tons of default permissions that they don't really need.

You don't need to audit every line of code in your dependencies and their subdependencies if your dependencies are restricted to only doing the thing they are designed to do and nothing more.

There's essentially nothing nefarious changed-files could do if it were limited to merely reading a git diff provided to it on stdin.

Github provides no mechanism to do this, probably because posts like this one never even call out the glaring omission of a sandboxing feature.

https://crankysec.com/blog/community/

> All the cybersecurity companies saying "We don't have anything to say about this situation." is just them being true to their main in-group: for-profit companies that don't want to upset a big current or potential buyer. They are, first and foremost, part of that "community", and they happen to be involved in cybersecurity. Solidarity is happening there, just not to the people in cybersecurity.

This sucks and we should change it for sure. So many other industries have successfully become professionalized, unionized, and kicked the grifters to the curb. But it feels more and more like the cybersecurity grifters are the ones holding the reins.

You need immutability and something like sandboxing where actions cannot e.g. dump the memory of the runner process to steal secrets.

The alternative is vetting every single line of code in every dependency and every subdependency perfectly for every update, which is not realistic.

You can get secure and easy-to-use tools, but they typically have to be really simple things.

US technology has a hegemony because we were first to the party, our economy is larger, and our laws are hostile to newcomers (lack of interoperability requirements, lack of enforcement of anti-trust laws, strong defense of DMCA laws, non-competes, and trade secret laws).

I've worked in the EU tech sector. They have tons of startups that operate just like US startups: VC funded, hockey-stick growth, and hiring like crazy. Their stricter labor laws don't get in the way of that.

The hyper-growth, VC-funded startup model is itself quite exploitative, but if it's still possible with stricter labor laws, then fears about them impacting growth are unfounded.

Job mobility for tech workers is a fluke of current economic conditions. If interest rates spike, or a recession happens, or a bubble bursts, this benefit would go away and you'd be stuck at that exploitative company or unemployed.

Unionization and labor laws can make workers less disposable without substantially affecting growth (see: European tech hubs).

Us tech workers could be leveraging the privilege we have to get better conditions for everyone.

A perfect example is non-compete clauses. Tech workers enjoy high job mobility, which is only hindered by non-competes. It's no accident that major tech hubs were some of the first states to ban them, helping all workers.