The latest npm security kerfuffle
-
@kazitor said in The latest npm security kerfuffle:
All the crap nodejs pulls and has resulted in honestly makes me hesitant to label myself a JavaScript developer, or use that word in any sort of proximity to descriptions of myself.
That's why you don't want to be a JS developer? Heh. There were plenty of good reasons not to, long before Node or NPM was ever a thing. All this is is validation.
-
@Zerosquare said in The latest npm security kerfuffle:
Sure, but both microcode designers and assembly programmers are generally people who know what they're doing, aren't likely to use things they don't understand, or make changes without thinking about the consequences.
Yes, they are people the spectre of whose decisions will never come back to haunt those who rely on them...
-
I see what you did there.
I didn't claim they were perfect, only that they were significantly more competent than your average JS developer. The flaw you reference went unnoticed by specialists for more than a decade, and the attack is pretty damn clever.
Whereas "website got hacked for not following beginner-level security practices, gigabytes of personal data now available on Pastebin" is so common it occurs every week.
-
@Zerosquare said in The latest npm security kerfuffle:
I didn't claim they were perfect, only that they were significantly more competent than your average JS developer.
Google JS developers are also significantly more competent than your average JS developer. It's not a matter of abstraction level.
The flaw you reference went unnoticed by specialists for more than a decade
unreported*
-
@Gąska said in The latest npm security kerfuffle:
Google JS developers are also significantly more competent than your average JS developer.
Since your average JS developer appears to be someone barely able to string two coherent grunts together, much less competently copy someone else's code off of Stack Overflow, you're really setting a low bar there…
-
@dkf it wasn't me who chose that reference point.
-
I'm starting to wonder whether NPM doesn't secretly mean "Not a Package Manager"
-
@martijntje NPM: Neat Pile of Manure
-
@masonwheeler You can write clean JS code and just use the odd library to fill in the bits that aren't right e.g. I normally use MomentJS because JavaScript date object is just a PITA.
However it is becoming increasingly obvious that the JavaScript Community has created a house of cards that it cannot manage.
-
@masonwheeler said in The latest npm security kerfuffle:
@kazitor said in The latest npm security kerfuffle:
All the crap nodejs pulls and has resulted in honestly makes me hesitant to label myself a JavaScript developer, or use that word in any sort of proximity to descriptions of myself.
That's why you don't want to be a JS developer? Heh. There were plenty of good reasons not to, long before Node or NPM was ever a thing. All this is is validation.
This attitude does not help in the slightest. If people get rebuked just for writing JS in the first place, how the hell are they supposed to realise that npm is actually awful?
I've never been on the bandwagons for complaining about PHP or JS or all the others. Plenty of languages have stupid designs. Plenty of people do horrible things in those languages, some languages more than others. But that does not make everyone who ever touches the language a skilless developer. Only more of them.
-
@kazitor said in The latest npm security kerfuffle:
@masonwheeler said in The latest npm security kerfuffle:
@kazitor said in The latest npm security kerfuffle:
All the crap nodejs pulls and has resulted in honestly makes me hesitant to label myself a JavaScript developer, or use that word in any sort of proximity to descriptions of myself.
That's why you don't want to be a JS developer? Heh. There were plenty of good reasons not to, long before Node or NPM was ever a thing. All this is is validation.
This attitude does not help in the slightest. If people get rebuked just for writing JS in the first place, how the hell are they supposed to realise that npm is actually awful?
I've never been on the bandwagons for complaining about PHP or JS or all the others. Plenty of languages have stupid designs. Plenty of people do horrible things in those languages, some languages more than others. But that does not make everyone who ever touches the language a skilless developer. Only more of them.
Yes, well, plenty of languages have horrible bits, if not all of them. Javascript belongs in the pile of shit where the horrible bits are more of the language than the good bits. The only reason JS even still exists is that it was the only choice for years and years, and the stuff that predated it was even worse. It is a really horrible language, and it should have been abandoned long ago, but the web development community keeps it alive. Shit like TypeScript shouldnt even exist, it should all be thrown out in favor of a properly designd from the ground up sensible language.
And considering that the web dev world comes up with the new hot framework/library FOTM all the fucking time, swapping to a sane tech stack shouldn't be too hard since the only constant seems to be JS and tossing otu tech stacks.
-
@Carnage said in The latest npm security kerfuffle:
The only reason JS even still exists is that it was the only choice for years and years
… for deploying into users' browsers. Why people started writing server software or general desktop software in it, I really don't know.
-
@dkf Most likely because a significant portion of JS developers really are skilless programmers.
I'm just saying that complaining about shitty languages does nothing for improving the state of things.
-
@dkf said in The latest npm security kerfuffle:
@Carnage said in The latest npm security kerfuffle:
The only reason JS even still exists is that it was the only choice for years and years
… for deploying into users' browsers. Why people started writing server software or general desktop software in it, I really don't know.
Yes, I just skipped that level of detail for my own convenience.
-
@dkf Code reuse, mostly.
-
@pie_flavor That's the argument everyone uses for node.js, but I've never seen the logic behind it. If your server and client are using significant amounts of the same code, you're probably in the extreme.
-
@kazitor said in The latest npm security kerfuffle:
you're probably
Funny I should mention Jeff here. My first knowledge of him came from someone quoting "any application that can be written in JavaScript, will eventually be written in JavaScript." in the context of how great node.js is, without providing the particular context for that quotation.
Certainly didn't do much to give me a good impression of this "Jeff Atwood" person, until I actually looked it up and found that he wasn't endorsing the excessive usage of JavaScript.
-
@kazitor said in The latest npm security kerfuffle:
Certainly didn't do much to give me a good impression of this "Jeff Atwood" person
99% of the stuff said about him here is utter bullshit. You'll get used to it. There's still a lot wrong with him, but it's a favorite pastime around here to find relatively small gripes and blow them out of proportion (one could argue it's one of the things that make us software developers).
-
@pie_flavor well, we have a very damn good reason for that. This thing between him and us, it's personal.
Edit: and about what kind of developer he is - he talked quite a bit about how his forum software is the future. Meaning he's targeting future mobile devices with it. Meaning that any performance issues on then-current devices aren't his concern.
-
@kazitor said in The latest npm security kerfuffle:
I'm just saying that complaining about shitty languages does nothing for improving the state of things.
I don't know, I think that guy who bitched about PHP a lot was pretty influential and significantly helped jn pushing PHP out of mainstream, and indirectly also caused PHP itself to improve (when they started losing market share, they've made shitton of usability improvements in form of PHP7).
-
@pie_flavor said in The latest npm security kerfuffle:
99% of the stuff said about him here is utter bullshit
The core reason is that we used Discourse for a while and he insisted on acting as a moderator/admin while that was going on, which only served to prove that his vision of how threads/topics should be was totally at odds with our vision. Also, we reported a lot of bugs to him in ways that could best be described as aggravating, so we didn't just break contact but actively napalmed the bridges from orbit before salting the earth.
-
@pie_flavor said in The latest npm security kerfuffle:
but it's a favorite pastime around here to find relatively small gripes and blow them out of proportion
Yes, it's a relatively small gripe that Jeff banned me for reporting that the browser's back button doesn't work on Discourse, after I tried to correct him for completely misreading/misunderstanding my bug report. He said it was a hardware problem due to it being a Microsoft Surface which "isn't a real tablet and nobody uses them" even though the exact same bug was present on Internet Explorer for a normal desktop. Of course, I have no evidence for any of this, because he deletes bug reports rather than archiving them for future reference.
-
@mott555 I don't think he deletes bug reports.
I do think he deletes what he perceives to be attacks on his person or his infallible product.
-
@mott555 Back button works fine here. Refusing to support IE is not that unreasonable of a decision
-
@pie_flavor said in The latest npm security kerfuffle:
Back button works fine here.
This was like 3 years ago, you dolt. And IE was the only browser option on that tablet, and this was also back in the days when Jeff was all about supporting mobile because desktops were a thing of the past.
-
@PleegWat said in The latest npm security kerfuffle:
what he perceives to be attacks on his person or his infallible product.
A.K.A. bug reports.
-
@PleegWat said in The latest npm security kerfuffle:
@mott555 I don't think he deletes bug reports.
I do think he deletes what he perceives to be attacks on his person or his infallible product.Wait, now I'm confused. First sentence you say one thing and right in the next sentence you claim the opposite. So does he or doesn't he delete bug reports now?
-
@PleegWat said in The latest npm security kerfuffle:
@mott555 I don't think he deletes bug reports.
He does. He uses Discourse for tracking Discourse bugs, and there's no "solved" button, and deleting is the next best thing. At least that's how he explained his reasoning. Bug solved -> thread deleted. Maybe they've changed their methodology since (it's been a few years after all), but these are almost literal quotes from Jeff himself.
-
@Gąska Huh, so he deletes the solved ones as well as the invalid ones? I sit corrected.
-
@Gąska Is there something I am missing? I thought Discourse was for forums.
-
@sweaty_gammon you're missing the same thing that we did. It's part of the reason why everyone was banned.
-
@sweaty_gammon said in The latest npm security kerfuffle:
@Gąska Is there something I am missing? I thought Discourse was for forums.
But any software application can be implemented as a web forum, if you try hard enough.
-
@mott555 I've once created a tool for making adventure games using BBCode
[spoiler]
tags.
-
@pie_flavor said in The latest npm security kerfuffle:
@kazitor said in The latest npm security kerfuffle:
Certainly didn't do much to give me a good impression of this "Jeff Atwood" person
99% of the stuff said about him here is utter bullshit.
Which is to say: accurate.
You'll get used to it. There's still a lot wrong with him, but it's a favorite pastime around here to find relatively small gripes and blow them out of proportion (one could argue it's one of the things that make us software developers).
One day you'll actually take a look at his blog and realize that we were correct all along, no matter how many ginormously over-provisioned but for Discourse servers you've encountered.
-
@PleegWat said in The latest npm security kerfuffle:
@mott555 I don't think he deletes bug reports.
I do think he deletes what he perceives to be attacks on his person or his infallible product.
I suspect there are more examples of him contradicting you but I think that's enough. Some of this is due to his brain fart about considering a forum to be a plausible way to manage a software project, and probably also relates somehow to the StackOverflow culture of deleting stuff, which I can't help but believe he had a hand in creating.
-
@Gąska said in The latest npm security kerfuffle:
@kazitor said in The latest npm security kerfuffle:
I'm just saying that complaining about shitty languages does nothing for improving the state of things.
I don't know, I think that guy who bitched about PHP a lot was pretty influential and significantly helped jn pushing PHP out of mainstream, and indirectly also caused PHP itself to improve (when they started losing market share, they've made shitton of usability improvements in form of PHP7).
Was he the guy that was outed as a furry and then blocked half of twitter. I'm still blocked by him.
-
@DogsB well, with that username, it shouldn't come as a surprise to anyone. And if you harassed him for being a furry, blocking you seems like an appropriate reaction. And since blocks are forever by default, I wouldn't hold a grudge for not unblocking you later on (unless you specifically asked him for that (inb4: through unblocked alt account) and he was like "no, years later I'm still mad").
-
@DogsB said in The latest npm security kerfuffle:
that was outed as a furry
Considering he has several public galleries of furry drawings, I don't think he was very secretive about that.
Although he seems to be more of a "pokemony" than a furry.
-
I think the rabbit on his website gave it away.
-
@Carnage said in The latest npm security kerfuffle:
Javascript belongs in the pile of shit where the horrible bits are more of the language than the good bits.
Source: /r/ProgrammerHumor
-
@Gąska I think angry rants can indeed make a change, but only if they're insightful and well written. So most threads here don't count.
-
@anonymous234 that's not a reason to stop ranting - that's a reason to rant even more! But in a more structured, more productive way.
-
@Gąska said in The latest npm security kerfuffle:
@DogsB well, with that username, it shouldn't come as a surprise to anyone. And if you harassed him for being a furry, blocking you seems like an appropriate reaction. And since blocks are forever by default, I wouldn't hold a grudge for not unblocking you later on (unless you specifically asked him for that (inb4: through unblocked alt account) and he was like "no, years later I'm still mad").
I didn't have anything to do with that. Just heard about it and thought it was funny. Never @ him in my life. I suspect it was through one of the block bots that were in vogue for a while. I have no problem with people who block. I just think they're funny.
-
@anonymous234 said in The latest npm security kerfuffle:
I think angry rants can indeed make a change, but only if they're insightful and well written.
Funny also works. Why wish that someone would go away and do their job marginally better when you can instead loudly declaim that you hope a team of seven hundred and thirty eight rabid porcupines should take an amorous interest in that person's shoes one night?
-
@mott555 said in The latest npm security kerfuffle:
@pie_flavor said in The latest npm security kerfuffle:
Back button works fine here.
This was like 3 years ago, you dolt. And IE was the only browser option on that tablet, and this was also back in the days when Jeff was all about supporting mobile because desktops were a thing of the past.
But only if you were using the latest iDevice, or if you were the dirtiest of plebs, top-of-the-line flagship Android. And mobile is Different™ anyway.
-
@hungrier That sort of attitude infuriates me. I am currently working on a product that is used by a lot of guys that do construction. They all have basically the free phone you get on a contract, so it a cheapo Chinese Android phone. Even low end desktops / netbook devices can be brought to their knees by inefficient browser code.
-
@sweaty_gammon said in The latest npm security kerfuffle:
That sort of attitude infuriates me.
Welcome to King Jeff™
-
@loopback0 I suspect being a "big name" went to his head at some point.
-
@loopback0 said in The latest npm security kerfuffle:
@sweaty_gammon said in The latest npm security kerfuffle:
That sort of attitude infuriates me.
Welcome to King Jeff™
-
@cvi said in The latest npm security kerfuffle:
I'm not against such a list, I just think it'd be hard to pull off in a meaningful way.
Can't we just ask the evil developers to declare which packages they've hacked?