Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday March 29 2020, @08:37PM   Printer-friendly
from the questionable-dependencies dept.

Arthur T Knackerbracket has found the following story:

In November 2019, Denis Pushkarev, maintainer of the popular core-js library, lost an appeal to overturn an 18-month prison sentence imposed for driving his motorcycle into two pedestrians, killing one of them.

As a result, he's expected to be unavailable to update core-js, a situation that has project contributors and other developers concerned about the fate of his code library.

Pushkarev, known as zloirock on GitHub, mentioned the possibility he may end up incarcerated in a thread last May discussing the addition of post-install ads to generate revenue for a project that so many use and so few pay for. He anticipated he may need to pay for legal or medical expenses related to his motorcycle accident.

In that thread, developer Nathan Dobrowolski asked, "If you are in prison, who will maintain [core-js] then?"

Pushkarev offered no answer. Since his conviction last October, the need to resolve that question has become more than theoretical.

-- submitted from IRC

So dear soylentil developers, are there any libraries you are depending on that have a single point of failure?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Arik on Monday March 30 2020, @02:16AM (9 children)

    by Arik (4543) on Monday March 30 2020, @02:16AM (#977084) Journal
    "Before JS there was Flash and Applets,"

    No. That may be technically true, but they weren't the pervasive threat the words convey today.

    Without jscript, how do you autolaunch your flash monstrosity? Hmm?

    You can't. You can only provide a link to download, and instructions on how to download the flash viewer.

    And so on for any app. Exactly as it should be. Computers should not be downloading and executing arbitrary code from transient sources without an affirmative effort from the user to do so. That's unsafe and insane and always has been.
    --
    If laughter is the best medicine, who are the best doctors?
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 1) by shrewdsheep on Monday March 30 2020, @08:35AM (6 children)

    by shrewdsheep (5215) on Monday March 30 2020, @08:35AM (#977143)

    These are strawmen. One thing that has spilled over from mobile is fine grained permissions. These allow (or will allow) a much more fine grained control over what apps can do than was ever possible before.

    Also I disagree with your second point. In the end a program will do something. How it got there is irrelevant, whether it downloaded something or was capable to do said thing to begin with. The main point is whether the user has control. This is best achieved by permissions and not by the believe that a program would do a certain set of things and nothing more and would stay that way. Howe mistaken that believe usually is.

    • (Score: 5, Insightful) by Arik on Monday March 30 2020, @11:57AM (5 children)

      by Arik (4543) on Monday March 30 2020, @11:57AM (#977168) Journal
      "These allow (or will allow) a much more fine grained control over what apps can do than was ever possible before. "

      So what? Pointing my web browser to your server (likely via a link, perhaps even a disguised link) does not constitute consent to run your app. When you lose that, you really strike at the heart of what made the web worthwhile.

      "The main point is whether the user has control."

      Exactly. And that's precisely what the 'web app' strips away, by design. The user no longer has control. Because under the guise of distributing a document, he's now been tricked into running a program designed specifically to put chains on her. This has all been made so complicated, and hidden so well, that the average user is either completely unaware of it, or simply gives up. At this point we develop something we might call "herd vulnerability" as a result.

      A formal ability to say no is not always equivalent to a functional ability to say no. It is the latter, not the former, which is key here.
      --
      If laughter is the best medicine, who are the best doctors?
      • (Score: 0) by Anonymous Coward on Monday March 30 2020, @03:16PM (3 children)

        by Anonymous Coward on Monday March 30 2020, @03:16PM (#977226)

        "he's now been tricked into running a program designed specifically to put chains on her"

        Someone could only be tricked into it? As a transgender BDSM fetishist I take offense to that!

        • (Score: 0) by Anonymous Coward on Monday March 30 2020, @06:56PM (1 child)

          by Anonymous Coward on Monday March 30 2020, @06:56PM (#977310)

          Only Marxists make this type of grammar mistake; it is a sign of their mental confusion regarding sexes (not gender, which is a grammatical and not biological term).
          The correct pronoun to use in the general case where neither male nor female is specifically meant is: male.
          Barring that, just say, "the user."

          • (Score: 2) by Arik on Tuesday March 31 2020, @06:21AM

            by Arik (4543) on Tuesday March 31 2020, @06:21AM (#977536) Journal
            It's not a mistake.

            You're correct insofar as I was alternating genders, which is no the same thing as sex. But there's no mistake and no confusion.

            You're correct insofar as one possible, and in my view logical and unobjectionable approach is simply to default to the unmarked gender. Plenty of precedent, and as I said personally unobjectionable.

            But it's not the one true and only correct way. Language is more flexible than that. English in particular is more flexible than that. Some people find it objectionable. It's not a huge deal.

            Conspicuously alternating between the marked and unmarked form is almost precisely the same, except it gives an explicit cue as to which of two plausible ways it is to be read. In a sense, this is a better alternative, simply because it is less ambiguous.

            "Barring that, just say, "the user.""

            The proper English is "one." As in "when one finds oneself in a hole, one must first stop digging."
            --
            If laughter is the best medicine, who are the best doctors?
        • (Score: 2) by Arik on Tuesday March 31 2020, @06:10AM

          by Arik (4543) on Tuesday March 31 2020, @06:10AM (#977534) Journal
          A minority might well sign up willingly, I'm fine with them doing so.

          Not so fine with it becoming a general requirement.

          Not at all sure how serious to take your comment. Are you the other AC that replied to yourself?
          --
          If laughter is the best medicine, who are the best doctors?
      • (Score: 2) by hendrikboom on Wednesday April 01 2020, @02:20AM

        by hendrikboom (1125) Subscriber Badge on Wednesday April 01 2020, @02:20AM (#977893) Homepage Journal

        A formal ability to say no is not always equivalent to a functional ability to say no.

        A fact which is evident to any rape victim.

  • (Score: 0) by Anonymous Coward on Monday March 30 2020, @06:08PM (1 child)

    by Anonymous Coward on Monday March 30 2020, @06:08PM (#977296)

    Computers should not be downloading and executing arbitrary code from transient sources without an affirmative effort from the user to do so.

    Executing. It's such a funny word. Taking stuff from remote and putting it locally and then doing stuff with it?? Like layouts? Like HTML? What about like RegEx? Or CSS? What is so special about JS? It just has a handful of statements.

    That's unsafe and insane and always has been.

    That can be said about anything. Might as well lock ourselves in the basements and disable all networks because HTML parser errors.

    • (Score: 2) by Arik on Tuesday March 31 2020, @02:03AM

      by Arik (4543) on Tuesday March 31 2020, @02:03AM (#977471) Journal

      "Executing. It's such a funny word. Taking stuff from remote and putting it locally and then doing stuff with it??"

      No, they aren't equivalents, execution is a special subset of 'stuff.'

      "Like layouts? Like HTML?"

      Documents. Data. Not executables.

      "What is so special about JS? It just has a handful of statements."

      No, it's a programming language. [crockford.com]

      There is a clear distinction between executable code and data. Executable code is where the danger lies. Yes, it's possible to exploit flawed executables by feeding them bad data - obviously. But it's sheer sophistry to pretend they aren't fundamentally different things. To penetrate a system using data you have to have a known and accessible flaw in the specific software on the remote machine that's being used to parse the data, one which will allow you to effectively transmute your data into code in memory. That's a very restricted attack surface. If you're allowed to run code, *any* kind of code, on the remote machine, you've busted out to a much larger attack surface and the prospect of the defender being able to secure that surface has diminished by orders of magnitude.

      --
      If laughter is the best medicine, who are the best doctors?