I think you raise very important concerns. The only sage change I see after the xz drama is @Dima occasionally PGP signing his mails. The more packages you "own", the more developers you own. The more developers you own, the more packages you own.
On Thu, Apr 18, 2024 at 5:09 PM Lorenz Panny <lor...@yx7.cc> wrote: > > > This also seems like a good time to reiterate an old comment of mine: > https://groups.google.com/g/sage-devel/c/Dq83PiiCAsU/m/RKSpD9_rDQAJ > ...pasted below for your convenience. > > On Tue, 21 Dec 2021 04:04:31 +0100, Lorenz Panny <l.s.pa...@tue.nl> wrote: > > On Mon, 20 Dec 2021 14:41:27 +0100, Michael Orlitzky <mich...@orlitzky.com> > > wrote: > > > We already have 214 standard packages. That's 214 pieces of software > > > copy & pasted into the sage releases... and 214 SPKGs that the sage > > > developers need to keep updating, and 214 distro packages that every > > > distro maintainer needs to keep track of as dependencies of the sage > > > package. > > > > It's also 214 software packages which might, for all we know, at any > > time be hijacked by The Bad Guys to run arbitrarily malicious code on > > every Sage user's machine. > > > > This is terrifying. > > > > (For examples where the modern "import * from internet" mentality has > > led to security disasters, just search for terms like "malicious npm". > > Luckily it seems less bad with pip packages for now, but not for any > > real reason. Every single piece of code we import adds huge security > > questions, because updates to the dependency may be published at any > > time totally invisible to Sage developers and the review process used > > in Sage development. The build scripts will simply pull and run it.) > > > > We should reduce dependencies, not add more. _Especially_ when it's > > about non-essential convenience libraries. > > > On Wed, 17 Apr 2024 09:43:28 +0300, Georgi Guninski <ggunin...@gmail.com> > wrote: > > If the recent xz backdoor drama didn't induce enough paranoia in you, > > here is a second chance exception: > > > > https://www.theregister.com/2024/04/16/xz_style_attacks_continue/ > > > > > > Open sourcerers say suspected xz-style attacks continue to target > > maintainers > > Social engineering patterns spotted across range of popular projects > > Tue 16 Apr 2024 // 14:07 UTC > > > > Open source groups are warning the community about a wave of ongoing > > attacks targeting project maintainers similar to those that led to the > > recent attempted backdooring of a core Linux library. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "sage-devel" group. To unsubscribe from this group and stop receiving emails > > from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view > > this discussion on the web visit > > https://groups.google.com/d/msgid/sage-devel/CAGUWgD82%3DoROFFxZwrKZG6eB0Kd5GEKW8wrPw_Q4gm8WJjioCA%40mail.gmail.com. > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sage-devel/20240418160443.79b10a15%40l4. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CAGUWgD8tEi3SdoPABMnVgHbSVKRDSJYN12qbdCQ8YKbCZKYPqw%40mail.gmail.com.
