Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)

421 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0s | source

Show context

montroser ◴[19 Sep 25 23:28 UTC] No.45308028[source]▶

Yes, you are responsible for all the code you ship to your users. Not pinning dependencies is asking for trouble. It is literally, "download random code from the Internet and hope for the best."

replies(2): >>45308117 #>>45308136 #

lelandfe ◴[19 Sep 25 23:39 UTC] No.45308117[source]▶

>>45308028 #

Pinned dependencies usually have their own dependencies so you are generally always downloading random code and hoping.

I mean, jeeze, how much code comes along for the ride with Electron...

replies(2): >>45308189 #>>45309458 #

cosmic_cheese ◴[19 Sep 25 23:50 UTC] No.45308189[source]▶

>>45308117 #

The real answer is to minimize dependencies (and subdependencies) to the greatest extent practical. In some cases you can get by with surprisingly few without too much pain (and in the long run, maybe less pain than if you'd pulled in more).

replies(1): >>45308314 #

1. Scramblejams ◴[20 Sep 25 00:06 UTC] No.45308314[source]▶

>>45308189 #

Yep, and for the rest I've gotten a lot of mileage, when shipping server apps, by deploying on Debian or Ubuntu* and trying to limit my dependencies to those shipped by the distro (not snap). The distro security team worries about keeping my dependencies patched and I'm not forced to take new versions until I have to upgrade to the next OS version, which could be quite a long time.

It's a great way to keep lifecycle costs down and devops QoL up, especially for smaller shops.

*Insert favorite distro here that backports security fixes to stable package versions for a long period of time.

↑