I’ve heard people mention curl and imagemagick. Any others that you know about?
Log4j was a fun one to watch unfold everywhere when things went haywire
The neat thing about the log4j thing was even a cursory explanation of the vulnerability made anyone with a passing familiarity with security say, “Why the fuck would that even be a feature?!”
Wait until you learn that PDFs support embedded Javascript.
??? What the what now?
That one was so annoying because you had to be using the log server to have any issues. If your network was locked down, the log server was disabled, or if you happened to be using a version that was from before the log server was added, then there were no issues. But clients just heard “log4j” and thought it was unsafe.
That was not a fun week to be a developer.
As a non-java company developer at the time, I think our biggest challenge was explaining to everyone that Log4j didn’t affect us. It took a non-zero amount of effort because a lot of customers panicked. To be fair, it was also an industry where confidentiality is important.
Also a lot of people were pulling it transitively.
Oh man. I missed it by like a month. I graduated with my bachelors in December, and started in January. I was hearing horror stories from my new coworkers about how people had to cancel vacations to get stuff patched asap
It was if none of your code used log4j. I remember being very grateful that I had chosen
java.util.logging
and Logback for my Java logging needs.Lol, yeah for us we didn’t own any of the code that used it but depended on server software made internally that did. At the time we managed our own hosts, so it was a long week of deployments.
cURL was one of these for a while (according to my limited understanding)
It was made in the 90s and it didn’t get commercial support until a few years ago.
Had GPT summarize what happened.
The “left pad” incident refers to a controversy that arose in 2016 when a developer named Azer Koçulu removed his JavaScript package called “left-pad” from the NPM (Node Package Manager) registry. This caused a ripple effect, breaking numerous projects that relied on this package and highlighting the potential risks of relying on external dependencies. The incident sparked a debate about the stability and trustworthiness of the open-source ecosystem and led to discussions about best practices for managing dependencies in software development.
This is the one I came to post about. The fact there’s a library for this is so stupid to me.
I feel like it demonstrates how npm and modules have probably to some degree gotten out of hand.
That’s always the one I’m thinking of when anyone mentions the xkcd.
npm is one crazy infrastructure.
From memory the NPM blokes had to have a think about how they handle important packages because of that. Didn’t they revert the changes to left pad to ensure everything else didn’t break?
Fascinating to see the house of cards some of these solutions / libraries are built off
Yes. They added it back. The policy now is that you can’t remove packages that are depended on (or something to that extent, I don’t know the specifics).
Yeah I’m pretty sure Github themselves restored the package if I recall correctly
This famously broke builds at Facebook.
Public NTP time servers have occasionally been that piece of infrastructure.
NTP is used for synchronizing computer clocks, ultimately using highly-accurate time sources such as atomic clocks. The most authoritative public time servers tend to be run by research universities, national labs, and so on.
Multiple home router vendors have sold devices configured to poll university NTP servers vastly excessively; effectively running a denial-of-service attack against public infrastructure. In a few cases, public time servers have closed down because of abuse by misconfigured consumer devices.
The core-js library is used by 1000s of top websites and is maintained by one guy
https://github.com/zloirock/core-js
He also went to prison
It’s honestly a fascinating read. We count so much on these kinds of people to keep our way of life intact, but when they ask for a little help in their own life, they get spat on.
It’s really, really sad that this sort of stuff doesn’t get picked up and funded for the greater good. Stuff like the NLnet Foundation exists, which has helped fund some pretty major projects (including the development of Lemmy), but something this critical I feel should be consistently funded by even larger entities in order to keep things working right.
That feels it went seriously bad
This story got me sad. But also, the guy should know better as not to dedicate all of his time on that. This article talk a bit about this issue.
A developer maintained a NodeJS package called left-pad that would add leading whitespace to strings. He unpublished the package and broke basically the entire Node ecosystem until the repo owner forcibly republished it against the author’s wishes.
Basically every Windows sysadmin is indebted to Mark Russinovich and SysInternals. Fortunetly, PowerToys has come a long way because I’m pretty sure sysinternals haven’t been updated since Windows XP.
Node frameworks are famous for this purely because of a lack of standard library. I feel like most languages have a standard library that balance being generic but still providing utilities of common used stuff. So a company that doesn’t want to rely on a random guy’s library can build their own with only the features they want. But with Node, any complicated feature is using a tree of hundreds of random packages that you have no idea who created them.
I believe the nodejs fiasco is what prompted this comic?https://www.google.com/amp/s/www.theregister.com/AMP/2016/03/23/npm_left_pad_chaos/
Another example is a large number of libraries using an external dependency to check if a number is odd.
Edit: maybe it was core js. I don’t remember the name exactly.
Standard JS. It’s a library maintained by one guy in Russia who went to jail for some car accident (I don’t have the full context). He needed money and had trouble getting it. Then the Ukraine invasion happened and that only made it more difficult for him to get money. Also he was harassed by less technical people seeing his code on websites thinking it was malicious.
It’s really a sad story to me.
Yeah it was quite shocking for me to read his story. Link for everyone who hasn’t come across it yet. https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md
Edit: Just noticed that he used the exact same comic in this write up.
You mean coreJS, not standard JS, right? But yes, it’s a sad story.
Wow I saw that my angular projects used core-js, but it seemed so massive and fundamental that I assumed it had the backing of a large company like angular itself. It’s staggering to see that it was largely being held up by a single person and I hope their situation has improved since writing that blogpost. I can’t even begin to imagine donating so much time and energy to a project even in spite of getting so much hate in return.
OpenSSL / Heartbleed was the event when this comic came out IIRC.
Would you like to hear an OpenSSL joke?
It’s 64k letters long and you can repeat it back to me when I’m done.
It’s “A”.
Salvatore Sanfilippo - creator of Redis.
Well, he actually received many appreciations from the community. But it’s worth knowing IMO.
Nodejs left-pad https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
RenderDoc is made by one person. It’s used by every graphics programmer. It’s free, open source, faster + better than anything else. I love it.