Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday March 29 2020, @08:37PM   Printer-friendly
from the questionable-dependencies dept.

Arthur T Knackerbracket has found the following story:

In November 2019, Denis Pushkarev, maintainer of the popular core-js library, lost an appeal to overturn an 18-month prison sentence imposed for driving his motorcycle into two pedestrians, killing one of them.

As a result, he's expected to be unavailable to update core-js, a situation that has project contributors and other developers concerned about the fate of his code library.

Pushkarev, known as zloirock on GitHub, mentioned the possibility he may end up incarcerated in a thread last May discussing the addition of post-install ads to generate revenue for a project that so many use and so few pay for. He anticipated he may need to pay for legal or medical expenses related to his motorcycle accident.

In that thread, developer Nathan Dobrowolski asked, "If you are in prison, who will maintain [core-js] then?"

Pushkarev offered no answer. Since his conviction last October, the need to resolve that question has become more than theoretical.

-- submitted from IRC

So dear soylentil developers, are there any libraries you are depending on that have a single point of failure?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Arik on Tuesday March 31 2020, @02:03AM

    by Arik (4543) on Tuesday March 31 2020, @02:03AM (#977471) Journal

    "Executing. It's such a funny word. Taking stuff from remote and putting it locally and then doing stuff with it??"

    No, they aren't equivalents, execution is a special subset of 'stuff.'

    "Like layouts? Like HTML?"

    Documents. Data. Not executables.

    "What is so special about JS? It just has a handful of statements."

    No, it's a programming language. [crockford.com]

    There is a clear distinction between executable code and data. Executable code is where the danger lies. Yes, it's possible to exploit flawed executables by feeding them bad data - obviously. But it's sheer sophistry to pretend they aren't fundamentally different things. To penetrate a system using data you have to have a known and accessible flaw in the specific software on the remote machine that's being used to parse the data, one which will allow you to effectively transmute your data into code in memory. That's a very restricted attack surface. If you're allowed to run code, *any* kind of code, on the remote machine, you've busted out to a much larger attack surface and the prospect of the defender being able to secure that surface has diminished by orders of magnitude.

    --
    If laughter is the best medicine, who are the best doctors?
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2