Most active commenters

    ←back to thread

    Less is safer: How Obsidian reduces the risk of supply chain attacks

    (obsidian.md)
    429 points saeedesmaili | 12 comments | 19 Sep 25 22:02 UTC | HN request time: 0.403s | source | bottom
    1. montroser ◴[19 Sep 25 23:28 UTC] No.45308028[source]
    Yes, you are responsible for all the code you ship to your users. Not pinning dependencies is asking for trouble. It is literally, "download random code from the Internet and hope for the best."
    replies(2): >>45308117 #>>45308136 #
    2. lelandfe ◴[19 Sep 25 23:39 UTC] No.45308117[source]
    Pinned dependencies usually have their own dependencies so you are generally always downloading random code and hoping.

    I mean, jeeze, how much code comes along for the ride with Electron...

    replies(2): >>45308189 #>>45309458 #
    3. Scramblejams ◴[19 Sep 25 23:42 UTC] No.45308136[source]
    Pinning dependencies also means you're missing any security fixes that come in after your pinned versions. That's asking for trouble too, so you need a mechanism by which you become aware of these fixes and either backport them or upgrade to versions containing them.
    replies(4): >>45308253 #>>45309891 #>>45310841 #>>45312407 #
    4. cosmic_cheese ◴[19 Sep 25 23:50 UTC] No.45308189[source]
    The real answer is to minimize dependencies (and subdependencies) to the greatest extent practical. In some cases you can get by with surprisingly few without too much pain (and in the long run, maybe less pain than if you'd pulled in more).
    replies(1): >>45308314 #
    5. kjkjadksj ◴[19 Sep 25 23:57 UTC] No.45308253[source]
    All code is fundamentally not ever secure.
    replies(2): >>45308272 #>>45308337 #
    6. da_chicken ◴[19 Sep 25 23:59 UTC] No.45308272{3}[source]
    That's why I run Windows 7. It's going to be insecure anyways so what's the big deal?
    7. Scramblejams ◴[20 Sep 25 00:06 UTC] No.45308314{3}[source]
    Yep, and for the rest I've gotten a lot of mileage, when shipping server apps, by deploying on Debian or Ubuntu* and trying to limit my dependencies to those shipped by the distro (not snap). The distro security team worries about keeping my dependencies patched and I'm not forced to take new versions until I have to upgrade to the next OS version, which could be quite a long time.

    It's a great way to keep lifecycle costs down and devops QoL up, especially for smaller shops.

    *Insert favorite distro here that backports security fixes to stable package versions for a long period of time.

    8. apstls ◴[20 Sep 25 00:08 UTC] No.45308337{3}[source]
    This statement is one of those useless exercises in pedantry like when people say "well technically coffee is a drug too, so..."

    Code with publicly-known weaknesses poses exponentially more danger than code with unknown weaknesses.

    It's like telling sysadmins to not waste time installing security patches because there are likely still vulnerabilities in the application. Great way to get n-day'd into a ransomware payment.

    replies(1): >>45308634 #
    9. nightpool ◴[20 Sep 25 00:48 UTC] No.45308634{4}[source]
    Have you spent time reviewing the security patches for any nontrivial application recently? 90% of them are worthless, the 10% that are actually useful are pretty easy to spot. It's not as big of a deal as people would like to have you think.
    10. chrisweekly ◴[20 Sep 25 02:05 UTC] No.45309458[source]
    No. "Always downloading random code and hoping" is not the only option. Even w/ the supply-chain shitshow that the public npmjs registry has become, using pnpm and a private registry makes it possible to leverage a frozen lockfile that represents the entire dependency graph and supports vulnerability-free reproducible builds.

    EDIT to add: Of course, reaching a state where the whole graph is free of CVEs is a fleeting state of affairs. Staying reasonably up-to-date and using only scanned dependencies is an ongoing process that takes more effort and attention to detail than many projects are willing or able to apply; but it is possible.

    11. yen223 ◴[20 Sep 25 03:03 UTC] No.45309891[source]
    Things like dependabot or renovate solves the problem of letting you know when security updates are available, letting you have your cake and eat it too.
    12. skydhash ◴[20 Sep 25 11:34 UTC] No.45312407[source]
    > so you need a mechanism by which you become aware of these fixes and either backport them or upgrade to versions containing them

    RSS Feeds?