Most active commenters
  • danenania(3)

←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 11 comments | 04 May 22 13:17 UTC | HN request time: 0.785s | source | bottom
Show context
pilif ◴[04 May 22 13:42 UTC] No.31260250[source]
With such a huge investment comes the obligation to eventually pay it back. Is this another one of my favourite tools going the way of Dropbox, 1Password and all other companies that were formed around what should be a platform feature, which took on way too large investment sums and were eventually forced to become the everything, losing sight of their core values?

I sincerely hope not, but there's so much bad precedent.

replies(6): >>31260318 #>>31260351 #>>31260537 #>>31260737 #>>31261295 #>>31264059 #
YPPH ◴[04 May 22 14:01 UTC] No.31260537[source]
How has 1Password lost sight of its core values?

Perhaps you refer to loss of local vaults? If so, they were never really a viable option for me - I needed the app syncing across multiple devices, including mobile, and doing so with a third party sync solution wasn't suitable.

replies(2): >>31261102 #>>31261681 #
1. criddell ◴[04 May 22 14:39 UTC] No.31261102[source]
For me, it was their switch to an Electron app. "High security" and "built from dozens of third party libraries and running on a browser" don't belong together.
replies(2): >>31261528 #>>31264784 #
2. YPPH ◴[04 May 22 15:06 UTC] No.31261528[source]
The choice of tech stack for a desktop application seems like an interesting basis to claim a company has lost touch with its core values.
replies(2): >>31261866 #>>31262119 #
3. smilespray ◴[04 May 22 15:29 UTC] No.31261866[source]
Moving from a native app to an Electron-based one has a definitive impact on usability. Calling it a tech stack choice is a bit dismissive.

They used to have a kick-ass Mac app. That appealed to a considerable amount of their users. Then they ditched the native app for Electron, and those same users were disappointed.

replies(1): >>31264024 #
4. skoskie ◴[04 May 22 15:47 UTC] No.31262119[source]
I’m fully in the camp who believes critical, top-level security should not co-exist with npm pulling dozens of 3rd party libraries which each pull even more 4th party code.

Is there anyone here with a counter argument? Has a security review been performed on each dependency? Any reason to think my fear is unfounded?

replies(1): >>31263976 #
5. dcow ◴[04 May 22 18:17 UTC] No.31263976{3}[source]
And what should replace it? Rust? Cargo? Oops. (I believe 1Password uses Rust for security-sensitive parts too, btw.) I'd genuinely like to know what the correct tech stack for a password manager is today because using the right one is important to my current endeavor.

Regardless at Uno we're working on a password manager with a native app and rust core. It's geared more towards everyday consumers than power HN users, but you might find it interesting. The rust core including api server is open source right now because that's one point where we diverge from 1P. Whatever tech stack you choose, it needs to be openly auditable so that the community can collectively ensure it remains secure. https://github.com/withuno/identity

6. dcow ◴[04 May 22 18:21 UTC] No.31264024{3}[source]
Which functionality was removed by switch stacks? What is the actual usability impact? I currently use 1Password7 and haven't updated to 8 so I'd like to know before updating.
7. danenania ◴[04 May 22 19:31 UTC] No.31264784[source]
Electron actually offers some of the best dependency-isolation capabilities of any language/platform given that you can set a content-security policy and leverage Chrome's extremely robust sandboxing to prevent front-end dependencies from accessing the file system, making network calls to untrusted domains, making system calls, calling 'eval', etc.

A fully native app will offer you no such protection. If a dependency used for styling or animations or whatever is compromised, it will have total access to the system and be able to exfiltrate at will to any location. In Electron, the equivalent dependencies can instead run inside the CSP sandbox, preventing them from doing any serious harm.

Supply chain vulnerabilities also aren't unique to npm. Any project that uses dependencies (in any language) has the same issue.

replies(1): >>31267960 #
8. girvo ◴[05 May 22 00:50 UTC] No.31267960[source]
> Any project that uses dependencies (in any language) has the same issue.

While that's absolutely true, the Node ecosystem (which I use, love, and make my money in) definitely takes the sheer dependencies of dependencies of dependencies problem to a rather fascinating extreme, compared to nearly any other language I use.

replies(1): >>31268328 #
9. danenania ◴[05 May 22 01:39 UTC] No.31268328{3}[source]
It would be interesting to see some data. Node definitely has that reputation, but every other language I’ve worked in—ruby, python, golang, clojure, hell even objective c—all have rich library ecosystems and most libraries include other libraries. They also all have plenty of small, single-purpose libraries. Perhaps node is a bit worse, but it’s not like it’s in a different category. Most popular languages/ecosystems are like this.
replies(1): >>31268882 #
10. fastball ◴[05 May 22 03:01 UTC] No.31268882{4}[source]
Node/JS definitely is a lot worse and in a different category by several orders of magnitude.

My theory is that this is because there is no standard library in Node.

My JS frontend has something like 20,000 packages that need to be installed to build the app. The next highest-dependency lang I use is python, where my average python app will have approx 100 packages all in. And then it only goes down from there with other systems.

replies(1): >>31269264 #
11. danenania ◴[05 May 22 03:57 UTC] No.31269264{5}[source]
I suppose a lot of that can be chalked up to the overall size of the ecosystem (and also the complexity of frontends).

There's an exponential effect at work based on the number of libraries that do any one thing. If in python you have (for sake of argument) an average of 5, and in node an average of 25, the downstream effect is that you have massively more dependencies in your tree (many, many, more than 5x), just like you're seeing.

I still don't think the O(n) properties of dependency trees are any different in other languages though. Node just has the largest scale. If python had as many total packages as node, and was also as popular for building frontends, I think you'd have exactly the same situation. That's what I meant by "not in a different category". Node's scale/popularity is in a different category than python's, but its approach to dependencies is basically the same.