jatone

This is wonderful thanks for sharing. Looking forward to the next round.

there is a nice CI/CD system that works locally and at cost hosted runners for personal plans. its very early stage. but i've been using it for my personal projects.

it runs on a virtualization stack, and it can do things like github code spaces + ci/cd + model training. has built in code coverage/custom metrics.

the code spaces bit doesnt work perfectly yet sadly (upstream issues) and mac support needs some improvements.

we're all frenemies here in the derp verse.

Probs but i wasnt talking about going after trump. Plenty of other people that will send the message. Be creative.

Luigi.

how lgbt+ heavy is your friend group? literally 60% of my friend group is bi which tracks with these numbers. think there are only 2 strictly hetero males in the group.

I was careful with my word choices. I said communism not leftists theories generally. Communism is by definition a state managed/centrally planned economy.

I have no issue with left wing movements in general. My criticism is of centrally managed governments regardless of their origin.

And I do believe its possible to structure a society align left wing values. just not through communism, at least not in a way that is stable.

😂 the telegraph with the hottest out of touch take of the year.

we all know what you meant. you're just incorrect, your conflating multiple different types of attacks and asserting the one that is easiest to resolve is an equivalent problem. shrug

1. if the developer of the application is writing malware, its malware end of story. its usually discovered rapidly and people avoid it.
2. supply chain attacks are harder to achieve (i.e. uploading a tainted binary to a software repository)
3. curling a shell script is pretty much the easiest target. you have a bunch of randomly setup servers serving a program that literally intended to install software on systems. You now have a large surface area random from typo attacks, to dns poisoning etc.

many devs i've encountered in the wild (FANG/startups/randomly) can barely sort a list without causing problems. so now we have people hosting multiple servers they probably didn't configure correctly. meaning instead of a few centralized repositories we need to secure we now have to trust these individual people have enough technical know how to safely host such a setup.

thats the problem with these setups. its not the developer being a bad actor we're worried about, its the systems they've setup to serve these scripts. with checksums and side channels its easy to validate the resulting binary. which can effectively nips any issues with a compromised repository.

1. no one is talking about NPM libraries. we're talking about released packages.
2. you absolutely can ensure a binary hasnt been tampered with. its called checksumming.
3. you're confusing MITM attacks with supply chain attacks. MITM attacks are far easier to pull off.

Not everything is provided with a package manager

Yes. thats precisely the problem we're pointing out to you. if you're going to provide software over the internet provide a proper package with checksum validation. its not hard, stop providing bash scripts.

I'm sorry I had to bring them back down to earth for their own good.