Exploiting Developer Infrastructure Is Ridiculously Easy

Thankfully, it was limited and quickly caught considering how long it could have gone unnoticed, but thinking about what could have happened leads us to an obvious conclusion:Open Source Is Incredibly BrokenLet’s count all the things that went wrong.An application (Copay) was built by consuming dependencies over the network without the entire tree’s dependencies locked.Even without locked versions, those dependencies aren’t cached and are pulled on every build.Thousands of other projects are dependent on event-stream with the same or similar configurations.The maintainer stopped caring about a library that thousands of projects depended on.Thousands of projects consume this library for free and expect it to be maintained without any compensation.The maintainer gave full control to an unknown entity just because they asked for it.There was no notification that control had changed, thousands of projects were just expected to consume the package with no warning.There’s really no end—this list of things that went wrong could go on and on…The damage this could have caused is incredible to think about..The projects that depend on this aren’t trivial either..Microsoft’s original Azure CLI depends on event-stream..Think of the systems that either develop that tool or run that tool..Each one of those potentially had this malicious code installed.Open source is broken, and the larger it grows the more likely that catastrophic events will occur.The problem is that so much software is built on the backs of people who are expected to work for free..They deliver useful software once but are expected to maintain it until the end of time..If they can’t, either they go dormant and ignore requests or security vulnerabilities (guilty!) or they pass the baton to someone else hoping they can get away without getting tagged ever again..Sometimes it works..Sometimes it doesn’t..But no outcome can excuse the security vulnerabilities this exposes in the software supply chain..Even the discovery of, research into, and subsequent damage control for this exploit was done largely by unpaid volunteers of the open-source ecosystem.The fault is so widely distributed there’s no use in placing blame..Open source, as it has grown, is broken.. More details

Leave a Reply