This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
The term "supply chain attack" has been applied to the world of software (not just pagers in Lebanon) to describe a modern phenomenon that arises because of the way modern software development works. Very little code today is written by an individual (or small group of individuals who are all working for the same company or whatever) in a way that relies only on their efforts to run it all the way down to the bare metal. Dependencies are essentially omnipresent. That is, someone else, somewhere, wrote some other code that the main characters in our story think could be helpful for making their own code work, so they just import it and use it. They often have to trust that it just does what it says it does on the tin. They may have to hope that if something goes wrong with it, that someone else (or their successors) will update it and keep it running correctly. This phenomenon is probably most famously summed up in this XKCD.
As such, it is sometimes possible for someone to get into one of these dependencies, find or insert a flaw, and then exploit it in order to get at some higher-level software package. There have been tons of examples, some very high profile, of this happening. The funniest version that I had heard of to date was "typosquatting". The idea is that, sometimes, just by random chance, some programmer somewhere will misspell a package that they want to import. Typosquatting is used for websites, too, where there is just some chance that some number of people will misspell a website and happen to go to a site controlled by a bad guy (famous example was goggle(dot)com). The idea for package dependencies is the same; some percentage of the time, some programmer may just accidentally type "hugingface" instead of "huggingface"; if the bad guys published a malicious version by that typo-d name and the programmer in question somehow doesn't catch it, big oof.
There is now a funnier version. Of course it would be LLMs that give us a funnier version. "Slopsquatting", they call it. They even created a wikipedia article already for the paper. The idea is that so many coders (and "vibe coders") are now using LLMs to create mountains of new code, some who barely understand what's going on in their newly-created code. The LLM just creates it, and it works! It's magic! Of course, anyone who has spent much time with LLMs know that they do occasionally hallucinate. And, well, hallucinating is close enough to typo-ing that it'll get the job done.
It turns out that LLMs will, some percentage of the time, just randomly hallucinate a package that doesn't exist (or at least, doesn't exist yet). They'll "imagine" that maybe such a package, if it existed, might be helpful to the task they were given to accomplish. And they'll just write code as if it existed and did the thing that they'd kinda like it to do. Of course, just like with typosquatting, if you have an attentive and knowledgeable human watching closely, there's no reason why they couldn't catch it. But again, we're entering the world of "vibe coders"; at least some percentage of them are simply not going to have a clue. "The magic inscrutable matrices gave me this code. I'll try to run it."
So now, what if the bad guys have already figured this out? The bad guys create a package that they think is likely to be hallucinated, and they turn it into a very bad package, indeed. To the "vibe coder", it might even look like it's running correctly! The magic inscrutable matrices came through again; let's ship some product! Utterly brilliant... and utterly devilish.
At least this one is funny.
And the solution is the increasingly important SBOM (Software Bill of Materials). There are tools that help generate them and keep track of it as a project grows and I imagine (or rather, foolishly hope) that important software that should be secure will be expected to have one in the near future.
How does SOBM prevent you from misspelling a dependency?
you could presumably look at the list of packages that are depended on and see how many installs they have
the package that looks like an important one that only has 10 installs vs the rest that have millions is a good clue
it's way too late to look at the SBOM though. installing a rogue package recommended by an LLM already risks totally compromising development
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link