RE: https://infosec.exchange/@agreenberg/116612806345022171

People have been warning for years that VS Code extensions, npm, GitHub Actions and similar systems were all insecure as designed. Add to that a pervasive monoculture and slop automation and we're in a disaster that simply didn't need to happen. npm could have been safer by default. GitHub Actions could have been better designed. VS Code could have sandboxed extensions better.

RT: https://infosec.exchange/users/agreenberg/statuses/116612806345022171

Coding agents, the inattentiveness, automation and confirmation biases, their inherent insecurity, and the common insecurity of their output all exacerbate the issue but what's coming to a head is the fact that we've been letting software quality, design, and usability slide for over a decade.

When you let things slide for over ten years, there comes a point where everything simply falls apart.

@baldur Tell me if I'm off base, but I feel like the entire push for the cloud and for automated pipelines is all based on the promise by big tech that you can fire your entire ops team with no extra work for developers, since everything is automated now. Except things just suck now.

@robinsyl I mean, "promises that never pan out and really just make things worse" is pretty much a standard part of the tech industry playbook since ca. 2008 (at least), with numerous examples predating that even if they might not have been the norm.

@baldur I always find critiques of package managers like npm quite hand-wavey... I have my thoughts on how to improve it, but have you got any good sources on what it would take to approximate the appeal and advantages of npm while limiting exposure? I haven't found any solid work on it...

@baldur yeah. But have you consider just adding more duct tape
Duh

@baldur

@baldur always easy to say that something could be better. But not easy to implement.

@baldur Prof. Edsger Dijsktra's words from 1975: "Complexity generators."