I don't think computer people really realize just how little (relevant) malicious code actually exists on the anyone-can-upload package registries, and folks seem to consistently overestimate the actual threat level here
This also feels like one of those cases of the metaphorical-law-I-forgot-the-name-of, where people perceive an uncommon event as being really common because it's so uncommon that it gets widely reported every time it happens, and therefore skews people's perception of its frequency
As a bit of extra background: I've been professionally auditing (probably thousands of) FOSS dependencies for years now, in a high-risk environment, and *not once* have I run across deliberately malicious code, not even questionably broken code, really.
Every single issue so far has been a security issue, none that were likely to be disguised backdoors. Many of them very common security issues that most developers are likely to create themselves when reinventing wheels (eg. when avoiding dependencies out of a misguided fear of malicious code).
That's where the *real* risk is.
(Corollary: packages that boast "zero dependencies" on average tend to contain far more bugs and even security issues than equivalent packages with transitive dependencies; which is not that surprising, when you consider that this means it'll be reinventing a lot of wheels inline)
@joepie91 "zero dependencies" can mean "we suffer from NIH so we re-invent all the wheels all the time", but it can also mean "there are depdencies but we bundle everything ourselves in some nonstandard way and most of it are outdated versions".
I'm not sure which one is worse, both are not great.
@joepie91 confirmation bias + Dunning-Kruger effect?
@nerkles Nah, there's a more specific name for it. Something to do with news coverage specifically, where uncommon events are always covered and therefore seem common, whereas common events are not worth reporting on and are therefore perceived as uncommon.
@joepie91 @nerkles Found this article, with a very generic name "News Paradox" https://www.news5cleveland.com/news-paradox
@joepie91 @nerkles I did not expected this to become relevant within a week: https://pytorch.org/blog/compromised-nightly-dependency/ 😂
@eloy @nerkles Wow. They knew about it and declared it "not a security issue". What the hell.
https://github.com/pypa/pip/issues/8606
fuchsiaaaaaaaaaaaaaaaaa
@joepie91 @nerkles 'Selective reporting' it seems https://rationalwiki.org/wiki/Selective_reporting
@joepie91 @nerkles I'm not sure about news coverage specifically, but I think you're talking about the Bullet Hole Paradox.
It seems to be an example of Survivorship Bias, which is probably the way-more-common name.
https://andycwareing.com/2022/03/08/the-bullet-hole-paradox/
@joepie91 do you count things like Google Play Store as package registries? Because that would change the numbers a fair bit :p
(I assume you don't; this is a joke)
@joepie91 I think you are largely right, but I think the argument doesn't quite apply to (potential) targeted attacks - in those cases, the frequency of occurrence matters way less than the ease with which a motivated actor might attack a specific target
And no, it's not *just* security folks overestimating the threat level, tons of software developers do it too (and often at the same time overlook the things that are *actually* dangerous)