New ask Hacker News story: Ask HN: Pragmatic way to avoid supply chain attacks as a developer
Ask HN: Pragmatic way to avoid supply chain attacks as a developer
2 by RoboTeddy | 0 comments on Hacker News.
In the usual course of writing software, it's common to install huge dependency chains (npm, pypi), and any vulnerable package could spell doom. There's some nasty stuff out there, like https://ift.tt/UMx9Dq7 which uploaded people's SSH keys to the attacker. It's easy to say just "use containers" or "use VMs" — but are there pragmatic workflows for doing these things that don't suffer from too many performance problems or general pain/inconvenience? Are containers the way to go, or VMs? Which virtualization software? Is it best to use one isolated environment per project no matter how small, or for convenience's sake have a grab-bag VM that contains many projects all of which are low value? Theorycrafting is welcome, but am particularly interested in hearing from anyone who has made this work well in practice.
2 by RoboTeddy | 0 comments on Hacker News.
In the usual course of writing software, it's common to install huge dependency chains (npm, pypi), and any vulnerable package could spell doom. There's some nasty stuff out there, like https://ift.tt/UMx9Dq7 which uploaded people's SSH keys to the attacker. It's easy to say just "use containers" or "use VMs" — but are there pragmatic workflows for doing these things that don't suffer from too many performance problems or general pain/inconvenience? Are containers the way to go, or VMs? Which virtualization software? Is it best to use one isolated environment per project no matter how small, or for convenience's sake have a grab-bag VM that contains many projects all of which are low value? Theorycrafting is welcome, but am particularly interested in hearing from anyone who has made this work well in practice.
Comments
Post a Comment