Conversation

Patrick Walton
@pcwalton
When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
13
86
Daniel Micay
@DanielMicay
Replying to
@kornelski
@TheEduardoRFS
and
@pcwalton
It's worth keeping in mind that Git hashes and signed commits / tags entirely depend on sha1 though. It's increasingly a bad idea to depend on any of it for security. Unfortunately, Git doesn't offer a solution and sources really need to be distributed in signed archive files.
2
2
Daniel Micay
@DanielMicay
Replying to
@kornelski
That's why I said it's an increasingly bad idea to depend on it. It doesn't make sense to be building infrastructure today that depends on sha1 and has no real migration plan away from it. Creating a dependency on Git revisions or signed commits / tags today isn't a good plan.
Twitter Web App
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@kornelski
Something being known also doesn't imply that it's public. The reasoning that you're using is flawed. Publicly disclosed vulnerabilities or attacks aren't the full picture. It's known to have serious weaknesses and an accelerating pace of the disclosed attacks being improved.
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@kornelski
As I mentioned, it's also very bad practice to be exposing so much attack surface before verification rather than after verification. For example, it isn't considered appropriate for a binary package manager to extract files from an archive before verifying yet it's way simpler.
1
Show replies