https://pantsbuild.org/ logo
Join Slack
Powered by
has anyone been making security arguments for mono...
# random
f
has anyone been making security arguments for monorepos? it might be time to start doing that: https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/
👀 1
🔒 2
h
cc @happy-kitchen-89482 for your PyCon proposal about monorepos
h
Interesting!
For sure
f
h
Ah yes
f
this guy name-squatted internal package names on public indexes
h
although interestingly I knew about the (off topic) PyPI movie spam from that other link
f
this attack is actually really scary to me personally because i have very intentionally built systems that would be vulnerable to it
and it was the challenge of maintaining the correct boundaries of a complex set of company-internal dependencies that lead me to seeking out monorepos and digraph build tools
h
Yeah, that is a big attack surface.
That's an excellent point in favor of monorepos
h
Josh would you be interested in writing a Pants blog post about your experience with this topic? We'd be happy to help edit etc
e
I'm missing the monorepo argument here. It seems the same thing could go wrong on an even bigger scale. Is it just that you have only 1 repo to fix?
f
possibly yes, let me get back to you next week when i have a better idea of my new schedules
💯 1
e
Or are you thinking monorepo means monorepo with no exceptions so there are 0 internal deps satisfied via requirements?
f
john yes i was hinting at more of a 0 deps shared via requirements thing
i understand that some orgs use multiple "monorepos" and share requirements via internal package indexes, i'm not sure that this helps in that situation
3 Views
Open in Slack
PreviousNext
Powered by