Just absolutely no regard for security at all.
-
“the CLI binary (dist/cli.mjs) and all other package contents are identical to the legitimate cline@2.2.3 release.
A corrected version (2.4.0) was published at 11:23 AM PT and 2.3.0 was deprecated at 11:30 AM PT. The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions.”https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7
I didn’t know about using “OpenID Connect (OIDC) to authenticate GitHub Actions” and wonder how many surfaces it closes and whether it opens new surfaces?
-
@mhoye While the whole situation from AI injection down to 'packages can postinstall global packages' is a series of bad to insane decisions, the only thing I really don't understand is ... why install openclaw on machines? Was this trying to achieve something or just show it was possible?
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
-
@mhoye could you share the source? Thanks in advance
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye
Could you provide a source URL to this? -
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
-
@mhoye
Could you provide a source URL to this? -
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
FFS.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it -
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye postinstall was probably the worst thing added to npm - it's been there since the start with absolutely no effort to secure it or remove it
-
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it@feld "they deserved it" is a childish, bullshit response to systemic problems.
-
-
@mhoye postinstall was probably the worst thing added to npm - it's been there since the start with absolutely no effort to secure it or remove it
@tanepiper It's been around in the Debian dpkg system for ages, and it's got a lot of utility in that context and definitely works system-wide. But the Debian community doesn't have the NPM "let anyone do anything whatever" ethos, and the versioning systems in that part of the world are much slower and more methodical. You pretty much need to be on Sid and updating every day to get bitten by this in that part of the ecosystem.
-
-
@tanepiper It's been around in the Debian dpkg system for ages, and it's got a lot of utility in that context and definitely works system-wide. But the Debian community doesn't have the NPM "let anyone do anything whatever" ethos, and the versioning systems in that part of the world are much slower and more methodical. You pretty much need to be on Sid and updating every day to get bitten by this in that part of the ecosystem.
@mhoye yes, that's the parallel part to it - being responsibility enough to have that level of utility - sadly npm is a wildwest of some of the poorest software development practices out there.
-
@tiotasram @mhoye yeah not sure I'd want it installed, but I assume it doesn't do anything just on install, like you'd need to set-up keys or features or something? But then I wouldn't assume packages could global install so who knows anymore.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye the "S" in "AI" stands for "Security"
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye Yikes!
