Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
Timeline
Post
Remote status
Context
7
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it
@mischievoustomato @joe @mhoye @sun make a freebsd jail (like a mini copy of the whole OS). put all your dev tools in there. run them from within the jail. if it gets popped, they can't get out to the juicier bits on your real OS
Replies
7
@feld @joe @mhoye @sun @mischievoustomato would you recommend Linux jails in general for software that are not well supported for FreeBSD? Instead of just running say Alpine VMs on Bhyve. (currently two cases in mind: OpenwebUI and Invidious)
@foolghool @joe @mhoye @sun @mischievoustomato I find Linux jails difficult, but we are close to making it easy to run Linux OCI (docker) containers. I haven't explored it but people are already doing it
@feld @mhoye @sun@shitposter.world @mischievoustomato
I think we're talking past the point here - say you run your whole dev environment in a VM - sure, *your* OS is fine, but the packages you've trusted for years that you're including as dependencies have just been fucked, and that's what you're shipping to *me*, the end user.
Did I "deserve it"? I put it to you that I don't. I also don't think "everyone should just run everything in a container because someone wants to use some LLM agent in their gitforge" is the same as "don't install a random exe from a random warez site".
How did I deserve to have my box popped because you, a trustworthy dev, used a package that's trustworthy for years? This thinking makes no sense.
@joe @mhoye @mischievoustomato this isn't just about the LLM, this is about how terrible our software supply chains are these days because people built infrastructure before building trust and now we have this mountain of crap as the foundation of everything we do
@feld @mhoye @mischievoustomato which I deserved?
@joe @mhoye @mischievoustomato
if this is a new threat you couldn't possibly have conceived until this conversation: no
if you're aware of this risk but not being proactive in protecting yourself: absolutely
if this is a new threat you couldn't possibly have conceived until this conversation: no
if you're aware of this risk but not being proactive in protecting yourself: absolutely
@feld @mhoye @mischievoustomato this is a catastrophically unhelpful position to hold, and will win you no friends to argue it in public :(