←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)
429 points saeedesmaili | 2 comments | 19 Sep 25 22:02 UTC | HN request time: 0.019s | source
Show context
montroser ◴[19 Sep 25 23:28 UTC] No.45308028[source]
Yes, you are responsible for all the code you ship to your users. Not pinning dependencies is asking for trouble. It is literally, "download random code from the Internet and hope for the best."
replies(2): >>45308117 #>>45308136 #
Scramblejams ◴[19 Sep 25 23:42 UTC] No.45308136[source]
Pinning dependencies also means you're missing any security fixes that come in after your pinned versions. That's asking for trouble too, so you need a mechanism by which you become aware of these fixes and either backport them or upgrade to versions containing them.
replies(4): >>45308253 #>>45309891 #>>45310841 #>>45312407 #
kjkjadksj ◴[19 Sep 25 23:57 UTC] No.45308253[source]
All code is fundamentally not ever secure.
replies(2): >>45308272 #>>45308337 #
1. apstls ◴[20 Sep 25 00:08 UTC] No.45308337[source]
This statement is one of those useless exercises in pedantry like when people say "well technically coffee is a drug too, so..."

Code with publicly-known weaknesses poses exponentially more danger than code with unknown weaknesses.

It's like telling sysadmins to not waste time installing security patches because there are likely still vulnerabilities in the application. Great way to get n-day'd into a ransomware payment.

replies(1): >>45308634 #
2. nightpool ◴[20 Sep 25 00:48 UTC] No.45308634[source]
Have you spent time reviewing the security patches for any nontrivial application recently? 90% of them are worthless, the 10% that are actually useful are pretty easy to spot. It's not as big of a deal as people would like to have you think.