- When I have an example open, I can't type any commands.
- When I open an example, I expected to actually... see an example. I'm not gonna read the wall of text. I don't even understand what this is yet, that's why I tried to see an example.
The example was great for someone like me: I'd rather read through and follow excellent instructions by clicking through commands to understand the value of this command-driven tool.
If you want to look through a video or something, then this tool is likely not for you! (nothing bad with that, that's why it's great that there are so many different tools we can choose from)
Not for nothing but have we all forgotten the sony rootkit? Actually, that would be a perfect front. Start a game company backed by a nation state, put in rootkit anti-cheat, profit.
Right? I was seriously considering migrating everything in our company from GitHub to GitLab. Now I'm seriously considering self hosting our git instead.
There are a lot of downsides to self-hosting your git as well. Especially if you need to deal with high availability, scalability beyond a single server, and/or being open to the public Internet.
I'm not saying you should never self-host your git server, but it's not for everyone.
No, these things are actually much easier to solve when you don't have to care for millions of users across every timezone and can just focus on <10,000 users that can easily be handled with a modest VPS setup.
It's truly pathetic how developers today cede everything to cloud services. A $20 VPS (whatever gets you 4 gigs of ram) is likely enough to host all the business needs of 90% of SMBs across the US.
Even easier today with things like Docker, Forgejo, and other great self hosting solutions.
Why would a company care about opening up their codebase to the internet? These are problems you don't have to care about when you only want a small subset of solutions. Especially when the tradeoffs are drastically simpler.
My bar for self-hosting something isn’t “these base standard feature works”, they had fucking better.
I get self-hosting got for security, compliance, and retention reasons, but for almost everything else it seems questionable for any use I would consider normal.
I don't think hosting git is all that complicated, just install it on a server, create a repo, and push to it.
What is complicated is having a convenient interface for managing the repository (users, groups, and hook-actions) and showing what the repository contains (commits, branches, tags).
I remember back in the day the first part was handled adequately with software like gitosis and gitolite, which just used git repository to manage other git repositories on the system.
I just look at the pricing and really start thinking about is it really multi hundred euro a year per seat product... Frankly as consumer those pricing levels just seems like distanced from reality.
I don't know if that really solves your problem if the main trunk of development for gitlab is being run through several AI slop machines before they push it to what they call stable, then you download that (or use a debian, redhat package for gitlab which originated from it) and self host on your own machine the results of the AI slop fest.
Because it does. The attack has to involve the CI pipeline rather than the dev environment, there's no token to revoke after (if you evict the attacker you're done, the OIDC credentials expire), it's easier to monitor for externally, you can build things like branch protections in and isolate things like "run tests" from "publish", etc. Trusted Publishing is not itself a solution to all supply chain issues but it is a massive improvement.
I agree with you that TP is an improvement over long lived npm tokens in CI.
However, the threat Im most afraid of still does involve dev environment compromise. Because if your repo admin gets their token stolen from their gh cli, they can trivially undo via API (without a 2fa gate!) any github level gate you have put in place to make TP safe. I want so badly to be wrong about that, we have been evaluating TP in my projects and I want to use it. But without a second factor to promote a release, at the end of the day if you have TP configured and your repo admin gets pwned, you cannot stop a TP release unless you race their publish and disable TP at npm.
TP is amazing at removing long lived npm tokens from CI, but the class of compromise that historically has plagued the ecosystem does not at all depend on the token being long lived, it depends on an attacker getting a token which doesnt require 2fa.
I am begging for someone to prove me wrong about this, not to be a shit, but because I really want to find a secure way to use TP in lodash, express, body-parser, cors, etc
Yes, that is the threat I'm most worried about as well. But look at your description of it - a repo admin has to be compromised. Not just "random engineer". Although, in this case, the attacker leveraged a cache poisoning attack to move into the privileged workflow and I suspect this sort of thing will be commonplace.
I'm in agreement that a second factor would be ideal, to be clear. I think it's a good idea, something like "package is released with Trusted Publishing, then 'marked' via a 2FA attestation". But in theory that 2FA is supposed to be necessary anyways since you can require a 2FA on Github and then require approvals on PRs - hence the cache poisoning being required.
Not to beat the dead horse, but ths floored me when I realized it so I keep trying to shout it at the top of my lungs.
There is no gate you can put on a Trusted Publisher setup in github which requires 2fa to remove. Full stop. 2fa on github gates some actions, but with a token with the right scope you can just disable the gating of workflow-runs-on-approve, branch protection, anything besides I think repo deletion and renaming.
And in my experience most maintainers will have repo admin perms by nature of the maintainer team being small and high trust. Your point is well taken, however, that said stolen token does need to have high enough privileges. But if you are the lead maintainer of your project, your gh token just comes with admin on your repo scope.
I, however, do look forward to a time when we can prompt our own TV shows. That second season that ruined your favorite show? Fix it. The second season that never happened? Create it. Of course AI needs to get better still for that to be bearable for many of us, but I'm still excited at the idea!
Isn't the scenario you are describing the ultimate collapse of art and culture as we know it?
If everyone sits at home and creates the content that they want, what do we talk about? How do we engage in shared culture if there is nothing to experience together?
Well, that was a recent invention anyway - at least in Europe where I live. TVs did not really reach most of the households until late '70s and the shared pop culture based on movies (mostly from US), cartoons (mix from Japan and US), advertisements (usually national) was created quite fast.
On top of that, I wonder if it wouldn't be for the better. 100 years ago many regions had distinct cultures. 200 years ago pretty much each village had a wee different culture. With slightly different fairy tales or songs and so on. Nowadays the culture gets standardised at a massive pace. If generative AI could put a stop on it... That'd definitely be an improvement.
Maybe you have a point there.
An optimistic outlook would be that AI allows people to create content that can compete with the polished, mass-produced, standardized stuff without the prohibitive budget requirements.
The pessimistic view is that it leads to more isolation, where everyone only "creates" for themselves.
I don't think it would be worse isolation than consuming standardized mass-produced content. Even a simple prompt, thinking what you want and so on is already the beginning of a creativity. Turning on TV/Netflix/whatever is not.
Unless the problem is people isolation in way, that people would not consume standardized content that also, to some extent, standardize their mind. But in that case it's an isolation problem even without AI when people check out from mass culture and entertain themselves. Wether entirely solo or in small fringe subcultures. Which is kinda isolation if you look from 19th/20th century point-of-view when name of the game was to normalise all the regional cultures into bigger bodies of people. But is such isolation the wrong or a good kind of isolation? I'd lean towards the later.
Welcome to the life of fringe subcultures. Of course subcultures, even most fringe ones, still have some community. But even in generated content world, some people would end up with similar taste and that generated content being similar. They may even share that content and watch some of each other's content! And oh boy the joy of meeting that rare human who has similar taste! E.g. knowing some fringe band that created a demo tape 2 decades ago that you found in some strange torrent tracker.
But yes, mass/pop culture as we know it would be dead. And IMO the world would be better off.
I agree with other comments that may lead to people staying inside their comfort zone. But I think it's question of time when good portion of people would start sharing that content with other people. Expanding each others' imagination. And few that don't... Well, existing pop culture is not exactly good at expanding mind as well. And such decentralized content creation may be less prone to propaganda and other social control efforts.
This + NFT integration will be the real game changer. Like it's Breaking Bad, except Walter White is decked out like one of your Slonks. Or it's Indiana Jones stealing a Bored Ape instead of the idol. Possibilities are endless.
reply