https://pantsbuild.org/ logo
#random
Title
# random
f

flat-zoo-31952

02/17/2021, 9:59 PM
has anyone been making security arguments for monorepos? it might be time to start doing that: https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/
👀 1
🔒 2
h

hundreds-father-404

02/17/2021, 10:00 PM
cc @happy-kitchen-89482 for your PyCon proposal about monorepos
h

happy-kitchen-89482

02/17/2021, 10:01 PM
Interesting!
For sure
f

flat-zoo-31952

02/17/2021, 10:02 PM
h

happy-kitchen-89482

02/17/2021, 10:02 PM
Ah yes
f

flat-zoo-31952

02/17/2021, 10:02 PM
this guy name-squatted internal package names on public indexes
h

happy-kitchen-89482

02/17/2021, 10:02 PM
although interestingly I knew about the (off topic) PyPI movie spam from that other link
f

flat-zoo-31952

02/17/2021, 10:03 PM
this attack is actually really scary to me personally because i have very intentionally built systems that would be vulnerable to it
and it was the challenge of maintaining the correct boundaries of a complex set of company-internal dependencies that lead me to seeking out monorepos and digraph build tools
h

happy-kitchen-89482

02/17/2021, 10:19 PM
Yeah, that is a big attack surface.
That's an excellent point in favor of monorepos
h

hundreds-father-404

02/17/2021, 10:20 PM
Josh would you be interested in writing a Pants blog post about your experience with this topic? We'd be happy to help edit etc
e

enough-analyst-54434

02/17/2021, 10:39 PM
I'm missing the monorepo argument here. It seems the same thing could go wrong on an even bigger scale. Is it just that you have only 1 repo to fix?
f

flat-zoo-31952

02/17/2021, 10:39 PM
possibly yes, let me get back to you next week when i have a better idea of my new schedules
💯 1
e

enough-analyst-54434

02/17/2021, 10:40 PM
Or are you thinking monorepo means monorepo with no exceptions so there are 0 internal deps satisfied via requirements?
f

flat-zoo-31952

02/17/2021, 10:50 PM
john yes i was hinting at more of a 0 deps shared via requirements thing
i understand that some orgs use multiple "monorepos" and share requirements via internal package indexes, i'm not sure that this helps in that situation
3 Views