So much wasted energy

Posted Sep 8, 2025 20:30 UTC (Mon) by kazer (subscriber, #134462)
In reply to: So much wasted energy by zyga
Parent article: npm debug and chalk packages compromised (Aikido)

It is a bizarre situation when distributions put a lot of effort into tracking packages, while people just use a browser that downloads and runs scripts without any of that. Sure, the browser is a "sandbox" but it still has access to various pieces of private information..

So much wasted energy

Posted Sep 9, 2025 8:41 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

There has been a deliberate developer push to kill actors that perform intermediation (and have annoying opinions on QA updates and security) and switch to a direct artefact download model. Because who cares about consequences and if it’s downloaded somewhere else it’s some other developer problem. With the full support of cloud giants (who are not themselves dumb enough to run non audited third party code, they perform internal intermediation, but they are all too happy to kill other IT gravity wells).

Of course the legislators are becoming wise to the trick (cf the CRA) and are increasingly making downloaders liable for the stuff they inflict on customers. Which may eventually end in a new intermediation push. Though not through distributions, reinventing the wheel for $$$$ is all too seductive. The first generations of new intermediators are underwhelming and just check articfacts for malware signatures.

So much wasted energy

Posted Sep 9, 2025 10:45 UTC (Tue) by q3cpma (subscriber, #120859) [Link]

Fortunately, https://www.localcdn.org/ exists!