Hacker News new | past | comments | ask | show | jobs | submit
zihotki | on: Microsoft's open source tools were hacked to steal passwords of AI developers
And the best recommendation security teams can give - keep your SBOM strict, use min release age policy (sounds more like band-aid). That's a scary world to live in.
wolfi1 | parent | next
a friend of mine has a very different solution: he codes everything by hand. he says that the time you need to research to include a new package you can actually use to code the piece you need. and he for sure doesn't have the problems of transitive dependencies
supernes | root | parent | next
That's been happening to me more often too recently. I find that, for a growing number of simple problems, reinventing the wheel is faster and more efficient than importing a mature, fully-featured dependency.
hsbauauvhabzb | root | parent | next
But now he needs to develop, test and maintain that code. Left pad is easily hand coded, react framework not so much.
wolfi1 | root | parent
his projects were GUIs for machines (HMI)
nicce | root | parent | next
Depending of the scenario, it can be very fine. E.g. if you just need one or two function call from the dependency. However, for some complex binary protocols it might be better to stick with libraries.
dgellow | root | parent
I assume that means he genAIs all his deps? Rather than writing by hand
loading story #48461484
nicce | parent
> keep your SBOM strict

Based on the news, seems like it is better to not include Microsoft at all in there.