Comment by rs999gti
2 months ago
> supply chain attacks
You all really need to stop using this term when it comes to OSS. Supply chain implies a relationship, none of these companies or developers have a relationship with the creators other than including their packages.
Call it something like "free code attacks" or "hobbyist code attacks."
“code I picked up off the side of the road”
“code I somehow took a dependency on when copying bits of someone’s package.json file”
“code which showed up in my lock file and I still don’t know how it got there”
All of which is true for far too many projects
I know CrowdStrike have a pretty bad reputation but calling them hobbyists is a bit rude.
I'm sure no offense was intended to hobbyists, but it was indeed rude
A supply chain can have hobbyists, there's no particular definition that says everyone involved must be a professional registered business.