Oddbean new post about | logout
5ab0ff62 | 1 years ago (raw) | root | parent | reply | flag 
 @033b744f While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project.

Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else.

Either case, I think this is kinda FUD…
4ff2e6be | 1 years ago (raw) | root | parent | reply | flag 
 @7c36db82 I can't follow your accusation.

The facts show that Microsoft got compromised since at least 2021-04.

There is no claim by MS I know of that GH is completely separated from MS infrastructure that got compromised.

Current NixOS setups are pulling from GitHub which belongs to Microsoft. Yes, this can be changed but that's not the point here at all.

As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.
1/2
5ab0ff62 | 1 years ago (raw) | root | parent | reply | flag 
 @033b744f 

You are jumping from MSFT got compromised at time T to MSFT is still compromised and all GH repos are compromised with full capabilities for attackers. This is one of my accusation.

> As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.

Assuming this without proof is, to be honest, conspiracy.
I don't like Microsoft neither, but this is ridiculous.
4ff2e6be | 1 years ago (raw) | root | parent | reply | flag 
 @7c36db82 2/2

Yes, there is no proof or indication that anything happened to any GH repository yet. 👍 

However, in IT security, you don't rely on lucky guess. A compromised network is still a compromised network and needs to be restarted from a clean status.

It doesn't look like MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again.

So where's the FUD in terms of reasoning?
5ab0ff62 | 1 years ago (raw) | root | parent | reply | flag 
 @033b744f 

> So where's the FUD in terms of reasoning?

> It *doesn't look like* MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again.

I think you answered yourself very well.

In IT security, lucky guess are not primitives to build threat models. Hypotheses, assumptions, economics, politics, technical measures and careful analyses are.

What you are doing is just lucky guessing that MSFT didn't do any form of "reasonable" due diligence.