GitHub is under automated attack by millions of cloned repositories filled with malicious code.::Thanks to a combination of sophisticated methodology and social engineering, this particular attack seems to be very difficult to stop.

      • 1984
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        1
        ·
        9 months ago

        No open repo is safe from attacks like this.

      • douglasg14b@lemmy.world
        link
        fedilink
        English
        arrow-up
        37
        arrow-down
        2
        ·
        9 months ago

        Because they obviously didn’t read the article?

        Unless you only use software and libraries hosted on gitlab, which you don’t, then that’s immaterial to this problem. GitHub is a target because of it’s size, Gitlab and friends are seemingly just as vulnerable to this sort of attack, which ONLY works because of human nature. Which last I checked is the same regardless of platform…

        • chonglibloodsport@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          3
          ·
          9 months ago

          Gitlab is open source. You can download it and host it yourself. A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

          Git was always designed with decentralized development and collaboration in mind. Its creator, Linus Torvalds, prefers not to bother with servers like GitHub at all. Git can even be used entirely over email (Linus’s preference)!

          • conciselyverbose@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            13
            arrow-down
            2
            ·
            edit-2
            9 months ago

            A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

            No, it’s not. Not in literally any way. Not 1%. Not 0.000000000000000001%. You don’t even get security by obscurity as a nebulous benefit because the core mechanisms are basically the same between instances.

            No projects are being compromised. They’re being imitated and passed off as the real thing to the naive. You can just as easily do that on another server (including established ones by adding multiple domains to your scripts) when people expect to use thousands of different git hosts as you can on GitHub, except without the benefit of the scale of Microsoft’s expertise at handling this type of attack.

            I’m all for federated git being the way forward. I’d love to see it grow into a reasonable option. But it has no benefit in any context against an attack like this.

            • hatedbad@lemmy.sdf.org
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              9 months ago

              a decentralized community that correctly prioritizes security would absolutely be using signed commits and other web-of-trust security practices to prevent this sort of problem

              • conciselyverbose@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                3
                ·
                9 months ago

                New accounts exist and have good reason to exist. You can’t and shouldn’t ban new accounts from creating projects.

                Anyone capable of understanding what “web of trust” means is already way too sophisticated to be misled by these fake projects.

          • abhibeckert@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            3
            ·
            9 months ago

            Gitlab is open source. You can download it and host it yourself. A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

            Um, what? Sorry but if someone is going to send, say, ten million malicious contributions (or heck, even just one), I don’t particularly want to deal with that on my self hosted server. I’d rather someone else deal with it.

            Git was always designed with decentralized development and collaboration in mind. Its creator, Linus Torvalds, prefers not to bother with servers like GitHub at all. Git can even be used entirely over email (Linus’s preference)!

            The Linux project created Git to solve problems they had. Pretty much no other project in the world has the same set of problems - it’s a highly unusual open source project with tens of millions in market value. Other projects have very different needs.