So how many supply chain attacks do we need to actually change things? Feels like I read about new supply chain attacks every day at this point.
So how many supply chain attacks do we need to actually change things? Feels like I read about new supply chain attacks every day at this point.
As many as fit in a period of time it takes a better generation of developers to grow up
Unfortunately I think devs nowadays (me included) are insanely bad compared to the devs back in the day who actually had to learn about their computers.
Somehow we've decided to trust and connect everything. It became industry standard, because it's convenient. It's a side effect of complexity.
Even if you're skilled, if you are forced into these practices, then you will take shots. Decision making is the core problem here, a side effect of skill and agency.
A lot of things need to be rebuilt from ground up, and many devs would prefer convenience and tradition
> many devs would prefer convenience and tradition
This is too reductive of the situation.
If it ain’t broke don’t fix it. Except, in this case, unless you have someone tell you it’s broken you won’t even know you need to fix it.
And this is where asymmetry comes in to play. Attackers are free to test and break as much as they want as long as they are silent. Whereas maintainers don’t know if the fix an LLM proposes will actually address the issue or cause some regression elsewhere.
IMO, if Microsoft wants actually good PR around GitHub for once they would offer free LLM security audits on all actions for at least the X most popular repos…