In this case, couldn't this have been avoided by the owners properly limiting write access? In the article, it mentions that they used *.
stackghost 4 hours ago||
As in any complex system, failures only occur when all the holes in the metaphorical slices of Swiss cheese line up to create a path. Filling the hole in any of the layers traps the error and averts a failure. So, perhaps yes, it could have been solved that way.
My personal beef in this particular instance is that we've seemingly decided to throw decades of advice in the form of "don't allow untrusted input to be executable" out the window. Like, say, having an LLM read github issues that other people can write. It's not like prompt injections and LLM jailbreaks are a new phenomenon. We've known about those problems about as long as we've known about LLMs themselves.
zephen 4 hours ago||
Yeah, LLMs are so sexy.
S- Security
E- Exploitable
X- Exfiltration
Y- Your base belong to us.
retired 3 hours ago||
Perhaps we should have an alternative to GitHub that only allows artisanal code that is hand-written by humans. No clankers allowed. GitHub >>> PeopleHub. The robots are free to create their own websites. SlopHub.
bhhaskin 3 hours ago|
No way to actually enforce that. It would be an honor system.
retired 3 hours ago||
You can verify it by checking the authors handwriting, the color of their ink and how the tip of the pen has indented the paper. That is difficult to spoof with AI.
pixl97 2 hours ago||
So, what you're saying is you want someone to make a machine that can clone their handwriting.
retired 2 hours ago||
Perfectly cloning someones handwriting so that it is indistinguishable in all circumstances is generally considered not fully possible
pixl97 1 hour ago||
The same is true for perfectly cloning your own handwriting.
Sytten 5 hours ago||
We have been working on an issue triager action [1] with Mastra to try to avoid that problem and scope down the possible tools it can call to just what it needs. Very very likely not perfect but better than running a full claude code unconstrained.
If you execute arbitrary instructions whether via LLM or otherwise, that's a you problem.
simlevesque 1 hour ago||
I'm just wondering if there's a possible way to prevent this that wouldn't be intrusive or break existing features.
phendrenad2 2 hours ago||
This is fine, right? It's a small price to pay to do, well, whatever it is ya'll like to do with post-install hooks. Now me, I don't really get it. Call me dumb, or a scaredy-cat, but the very idea of giving the hundreds of packages that I regularly install, as necessitated by javascript's lack of a standard library, the ability to run arbitrary commands on my machine, gives me the heebie-jeebies. But, I'm sure you geniuses have SOME really awesome use for it, that I'm simply too dense in the head to understand. I wish I were smart enough to figure it out, but I'm not, so I'll keep suffering these security vulnerabilities, sleeping well at night knowing that it's all worth it because you're all doing amazing, tremendous things with your post-install hooks!
hunterpayne 1 hour ago|
Without it, all a package can do is drop files on a filesystem. Its used to do any sort of setup, initialization or registration logic. Its actually impossible to install many packages without something like it. Otherwise, you end up having to follow a bunch of install instructions (which you will mess up sometimes) after each package gets installed.
phendrenad2 28 minutes ago||
I think that helps me understand. What are some examples of things where I'd want initialization or registration? What packages are impossible to install with this, besides cases where npm is used as an alternative to apt/yum to install dev executables?
long-time-first 5 hours ago||
This is insane
metalliqaz 2 hours ago|
Hey does anyone know what software is used to create the infographic/slide at the top of this blog post?