Comment by hypfer

7 days ago

Look, man, I understand all that, but pulling the plug is something that takes at most 90s. Let's say 300s to add the "Warning: There is an attack. We're working on it. Systems are down for now" box

After that, you have all the time in the world to prioritize dayjobs etc.

It's not about dropping everything and fixing the root cause. It's just about taking stuff offline so that the immediate danger is mitigated.

That is not too much to ask. It's not "people like me" having weird opinions there.

Shut it down. Then fix whenever there is time to do so.

___

But hey. Finally a statement from someone with some amount of position in the org I guess?

I wouldn't want to be in your shoes for sure, but that's beside the point. Nothing here is unreasonable other than the ostrich-style incident response lack-of-process.

And I don't mean stupid corporate process. I mean "common sense adults are in the room" process. Throw waterbucket at burning server reflex.

___

I mean I can see that your userbase absolutely sucks and could imagine that one would be scared of getting roasted for "interrupting their workflow", but this is not the way.

Their workflow is irrelevant.

As said, I'm all here for maintainer empathy, but only after the fire is put out first.

___

Anyway, "institutional rot" is not an insult but a diagnosis. I'd love to be proven wrong on that, but I don't see it.

And trust me, I do know first hand how thankless this non-job is and what hell one goes through. I have skin in the game. I just don't have a horse in the arch race.

4 comments

hypfer

Reply
Tharre  7 days ago

"Hey, let's take down all of npm, because there's a package that installs something malicious, and some people may install it without reviewing it first. The thousands of other people relying on this service can wait."

Do you not realize how crazy of an request that is?

  • hypfer  7 days ago

    You do realize that the people relying on the service also get served wormable malware, right?

    The service is already disrupted. It is not that a disruption could be _avoided_. The discussion makes no sense.

    ___

    Hell, even if I would be completely wrong in that assessment (not sure how, but let's assume that's the case)

    You can still put up a banner. "Hey, FYI: We're under attack".

    If not right away, then at the very least the moment media reports on it. And if media reported wrong, the banner says "Don't worry people. Media got it wrong."

    • Tharre  7 days ago

      > You do realize that the people relying on the service also get served malware, right? The service is already disrupted.

      Huh? No they don't. I'm not sure what part of the attack your misunderstood, but most people are going to be completely unaffected by this. None of the infrastructure or anything like that got compromised. I updated my AUR packages 2 hours ago, and didn't get served any malware.

      Again, there's probably some kind of malware on npmjs at any given time. You don't just shutdown the entire server because of that, that's madness.

      1 reply →