this post was submitted on 02 Mar 2024
240 points (98.0% liked)

Technology

59424 readers
2961 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

GitHub is under automated attack by millions of cloned repositories filled with malicious code.::Thanks to a combination of sophisticated methodology and social engineering, this particular attack seems to be very difficult to stop.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 11 points 8 months ago* (last edited 8 months ago) (1 children)

A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

No, it's not. Not in literally any way. Not 1%. Not 0.000000000000000001%. You don't even get security by obscurity as a nebulous benefit because the core mechanisms are basically the same between instances.

No projects are being compromised. They're being imitated and passed off as the real thing to the naive. You can just as easily do that on another server (including established ones by adding multiple domains to your scripts) when people expect to use thousands of different git hosts as you can on GitHub, except without the benefit of the scale of Microsoft's expertise at handling this type of attack.

I'm all for federated git being the way forward. I'd love to see it grow into a reasonable option. But it has no benefit in any context against an attack like this.

[–] [email protected] 0 points 8 months ago (1 children)

a decentralized community that correctly prioritizes security would absolutely be using signed commits and other web-of-trust security practices to prevent this sort of problem

[–] [email protected] 3 points 8 months ago

New accounts exist and have good reason to exist. You can't and shouldn't ban new accounts from creating projects.

Anyone capable of understanding what "web of trust" means is already way too sophisticated to be misled by these fake projects.