This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
And the solution is the increasingly important SBOM (Software Bill of Materials). There are tools that help generate them and keep track of it as a project grows and I imagine (or rather, foolishly hope) that important software that should be secure will be expected to have one in the near future.
An SBOM is a great thing... for projects that have dependencies. My employer has gone in too hard on trying to have as many stampable "we do X!" as they can to be safe and good and please other businesses, even in cases where it makes no sense. My little division works in a very special environment that has effectively zero available third party libraries. This has been true for over a decade - we are our own special corner. And yet! We must now have a SBOM (it's blank) and do a scan for known third party vulnerabilities (always zero) and pass an license compatibility check (no licenses but the one we put on our own stuff) and so on and so on. It's not that onerous, but it's extremely annoying to know that we are forced to waste some small slice of our time and effort keeping green flags for so many checkmarkables that we could not possibly fail. All this, and the cherry on top is that each component we make (none of which bring in any third party code) has to pass all these individually, and then the final product again has to pass them all - the final product made entirely and exclusively of the components we are already (pointlessly) checking.
Yes, compliance team, I understand the importance of validating third party code and the possibility of security issues! We just don't have any!
More options
Context Copy link
How does SOBM prevent you from misspelling a dependency?
Your build workflow should hopefully warn you when you are importing a dependency you did not manually approve of, but to do that it needs to keep track of those (hence the SBOM).
Moreover, it protects you from (some) mistakes made upstream. That lone overworked dev whose work on a library is pivotal to many other projects making a typo and importing a backdoored library is now going to be triggering alerts for downstream projects.
Any serious shop is already reviewing code changes, so the original bogus import should already be reviewed and I don't see this as additional protection. I guess it offers some protection if (as the other commenter suggested) packages with very few users are specially flagged during review. But merely flagging the addition of a new library is not useful, nobody is going to be chasing down new libraries in each code review to see if they are legit or not.
This is a good point, though it doesn't cover the novel library case. It relies on having a list of backdoored libraries to reference, but such libraries could simply be removed from the package manager altogether. Otherwise, I guarantee nobody is going to review the complete transitive dependency list for new slopsquatted libraries, ever.
At least in my shop, the workflow has been to generate a spreadsheet with alphabetized dependencies, marked by version and environment, across all projects, and leads review them once a month. Yes, for internal development this is all stuff that's getting looked over anyway during normal PRs, but a second set of review's not always a bad thing. For external tools, or dependency-of-dependency issues, or where an old library is getting increasingly out-of-date, it can be a first impression matter, and that has highlighted some concerns or vulnerabilities that weren't visible without delving deep into log files.
((That said, b/c we have some python situations, it's also had 'semver, damn near killed him' sorta problems where a 'bugfix' update also broke everything subtly. And a larger number of cases where 'this second library looks like a typo of the first library' that was just QT being QT.))
I've been trying to figure out a way to automate date-of-update fields for at least some of those dependencies, but it's ... been kinda a pain in the ass. I dunno if commercial SBOM tools do that. Most of the ones I've looked at only advertise highlighting 'known risk' versions and 'known good' ones, which I'm less a fan of. It's not fun and it's not hugely effective even at small scales -- I can't really do much more than google a lot of dependencies for server tools, since we're a pretty small shop and that's far out of my field of experience -- but it's not just box-checking either.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
you could presumably look at the list of packages that are depended on and see how many installs they have
the package that looks like an important one that only has 10 installs vs the rest that have millions is a good clue
it's way too late to look at the SBOM though. installing a rogue package recommended by an LLM already risks totally compromising development
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link