this post was submitted on 12 Apr 2026
12 points (92.9% liked)

Security

2040 readers
2 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Vacant@programming.dev
12
No one owes you supply-chain security (purplesyringa.moe)
submitted 2 days ago by codeinabox@programming.dev to c/security@programming.dev
3 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.bestiver.se/post/1043778

Comments

top 3 comments
sorted by: hot top controversial new old
[–] Kissaki@programming.dev 4 points 2 days ago

Not updating with audit would work if every direct and transient dependency provided security updates for every version. But they don't. Often, security updates are for the most recent version or versions, and if you're far behind, you now have to audit a lot more.

Transient dependencies are an audit problem, too. To audit something, you have to essentially audit recursively. Many libs use many other libs of varied authors.

Our systems are too open, too vulnerable. A build or check being able to access all resources is a fundamental systematic vulnerability.

[–] bitfucker@programming.dev 2 points 1 day ago

This is an interesting perspective. I have not thought about this even as a developer.

[–] AntiBullyRanger@ani.social 1 points 2 days ago* (last edited 1 day ago)

I used to be a developer, and I completely agree.

I don't owe anyone anything. And if you won't compensate me for work you demand, the less I am willing to cover your mistake.

“Supply-chain” is an invented capitalist digressive term that they forwent compensation for security. Even in our /c/, folks think capitalists will pay 7 additional days to review issues at no cost. It’s preposterous. Nazis prefer automating our quality assurance.

No pay, no game.

Edit! This type of ignorance even extends into other industries! Here’s my scene, making a bounty, not accounting modern Nazi costs of hardware.