On Thu, Jan 23, 2020 at 1:08 PM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
This article list six cases of malware contributed to npm (the repo for sharing node.js and JavaScript source).
How many undetected cases exist?
I've alway pretended that Linux distros vet their code. I'm not sure how true that is. Probably the greatest protection is the time delay between contribution and distribution.
I wonder what can be done about this problem. I've said so at our meetings a few times too.
Of course the problem is worse with closed source: it is impossible to audit the source. But closed source might have fewer contributors and more supervision. Of course much closed soure is built on top of open source and thuse all its weakness
In this vein - - - - a contact who in computer terms calls himself a dinosaur refuses to allow javascript on his computers doing all his browsing on text based browsers. In his opinion javascript is a serious accident already in free fall. What you're sharing only emphasizes that. Maybe its time to join his anti Javascript position? Regards