• RustyNova@lemmy.world
    link
    fedilink
    English
    arrow-up
    134
    arrow-down
    4
    ·
    9 months ago

    *bad Devs

    Always look on the official repository. Not just to see if it exists, but also to make sure it isn’t a fake/malicious one

    • maynarkh@feddit.nl
      link
      fedilink
      English
      arrow-up
      97
      arrow-down
      3
      ·
      edit-2
      9 months ago

      *bad Devs

      Or devs who don’t give a shit. Most places have a lot of people who don’t give a shit because the company does not give a shit about them either.

      • Passerby6497@lemmy.world
        cake
        link
        fedilink
        English
        arrow-up
        49
        arrow-down
        9
        ·
        9 months ago

        What’s the diff between a bad dev and a dev that doesn’t care? Either way, whether ist lack of skill or care, a bad dev is a bad dev at the end of the day.

        • Obinice@lemmy.world
          link
          fedilink
          English
          arrow-up
          31
          arrow-down
          2
          ·
          9 months ago

          I can be good at a trade, but if I’m working for a shit company with shit pay and shit treatment, they’re not going to get my best work.

          You get out what you put in, that’s something employers don’t realise.

        • maynarkh@feddit.nl
          link
          fedilink
          English
          arrow-up
          18
          arrow-down
          1
          ·
          9 months ago

          The difference is whether the fault for the leak of your personal data rests with the worker who was incompetent, or the employer who didn’t pay for proper secure software.

            • maynarkh@feddit.nl
              link
              fedilink
              English
              arrow-up
              8
              ·
              9 months ago

              Depends on the case TBH. If devs barely have time and are constantly crunching due to mismanagement, or are extremely disengaged due to mismanagement, I wouldn’t fault them.

              Usually it’s the lacking processes, though. There are ways to make sure this doesn’t happen, and it doesn’t depend on the individual, but always the organization.

          • jackalope@lemmy.ml
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            9
            ·
            9 months ago

            A good dev would unionize their workplace and push back. A dev who doesn’t care and just clocks on bad work because their boss sucks is not a good dev. Fight back.

            • gaael@lemmy.world
              link
              fedilink
              English
              arrow-up
              9
              arrow-down
              1
              ·
              9 months ago

              Yeah sure, because everyone has the skills, time, energy and safety required to unionize a shitty workplace they only go to to be able to pay their rent.

              • jackalope@lemmy.ml
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                6
                ·
                9 months ago

                Dev jobs are not hard to come by and they pay very well. It’s not like being a day laborer or something where we are scraping the bottom of the barrel. Have a little courage.

                • gaael@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  1
                  ·
                  edit-2
                  9 months ago

                  Looks like your mind is set. I wish you a good day and I hope you pick up a little more empathy along your way, and I hope some day you’ll get that a lot of people feel trapped where they are.

    • db0@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      27
      arrow-down
      1
      ·
      9 months ago

      You’d be surprised how well someone who wants to can camouflage their package to look legit.

      • RustyNova@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        True. You can’t always be 100% sure. But a quick check for download counts/version count can help. And while searching for it in the repo, you can see other similarly named packages and prevent getting hit by a typo squatter.

        Despite, it’s not just for security. What if the package you’re installing has a big banner in the readme that says “Deprecated and full of security issues”? It’s not a bad package per say, but still something you need to know

      • KairuByte@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        9 months ago

        Yeah, I’m confused on what the intent of the comment was. Apart from a code review, I don’t understand how someone would be able to tell that a package is fake. Unless they are grabbing it from a. Place with reviews/comments to warn them off.

        • KillingTimeItself@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          the first most obvious sign is multiple indentical packages, appearing to be the same thing, with weird stats and figures.

          And possibly weird sizes. Usually people don’t try hard on package managing software, unless it’s an OS for some reason.

          • KairuByte@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Unless you’re cross checking every package, you’re not going to know that there are multiple packages. And a real package doesn’t necessarily give detailed information on what it does, meaning you can easily mistake real packages as fake when using this as a test.

            The real answer is to not trust AI outputs, but there is no perfect answer to this since those fake packages can easily be put up and sound like real ones with a cursory check.

            • KillingTimeItself@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              depends on how you integrate it i suppose. A system that abstracts that is pretty awful.

              At the very least, you should be weary of there being more than one package, without explicit reason for such.

      • KillingTimeItself@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        9 months ago

        we just experienced this with LZMA on debian according to recent reports. 2 years of either manufactured dev history, or one very, very weird episode.

    • nyan@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      9 months ago

      The official repositories often have no useful oversight either. At least once a year, you’ll hear about a malicious package in npm or PyPI getting widespread enough to cause real havoc. Typosquatting runs rampant, and formerly reputable packages end up in the hands of scammers when their original devs try to find someone to hand them over to.