This reveals a deeper flaw in the whole git/npm pipeline (would apply to other s... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		globular-toast 32 days ago \| parent \| context \| favorite \| on: Glassworm is back: A new wave of invisible Unicode... This reveals a deeper flaw in the whole git/npm pipeline (would apply to other systems like PyPI etc, not npm exclusively). These systems should operate on a "pull" model, not a push. The system should have rejected a build that wasn't derived from the latest in its repository. It would be quite easy in concept to set up one's own system to pull every source on npm and alert when the upstream has deviated.

redman25 32 days ago [–]

So someone is debugging something with git bisect and stumbles on the old commit and gets pwned. Maybe that's why they force killed it? To avoid people going back in history and stumbling on it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact