The thing is, how do I know whether the Debian repo is free of them? Arch user repos? The node.js packages? My pip? The package managers I don’t really understand but had to use anyway? Code from my colleagues? My students? Vim plugins?
Every program can do ssh to my critical remote computer if they want to.
And now someone in the chain can land on the wrong github page suggested by Google, which itself is bent to its knees by ChatGPT.
Again, this existed before AI. Typo squatting, supply chain attacks, automated package uploads, CI pipeline infection, they’re all known attack vectors. That’s not to say this isn’t a concern, just that it’s a known risk and the addition of “AI” doesn’t, to my eyes, increase that risk. If your SSH keys don’t require a password, you have taken the decision to make those keys less secure but more convenient to use. That’s pretty much always the tradeoff in security.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !programming@programming.dev
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person’s post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
Follow the programming.dev instance rules
Keep content related to programming in some way
If you’re posting long videos try to add in some form of tldr for those who don’t want to watch videos
The thing is, how do I know whether the Debian repo is free of them? Arch user repos? The node.js packages? My pip? The package managers I don’t really understand but had to use anyway? Code from my colleagues? My students? Vim plugins?
Every program can do ssh to my critical remote computer if they want to.
And now someone in the chain can land on the wrong github page suggested by Google, which itself is bent to its knees by ChatGPT.
Again, this existed before AI. Typo squatting, supply chain attacks, automated package uploads, CI pipeline infection, they’re all known attack vectors. That’s not to say this isn’t a concern, just that it’s a known risk and the addition of “AI” doesn’t, to my eyes, increase that risk. If your SSH keys don’t require a password, you have taken the decision to make those keys less secure but more convenient to use. That’s pretty much always the tradeoff in security.
I’m talking about the magnitude