Gather round children, and let Daddy tell you a story known in the world of computing as "the leftpad debacle".
NPM is the computing equivalent of a gay bathhouse where programmers all gather to exchange diseases (the formal term in computer science is "bugchasing" if you want to look it up). Years ago, a programmer named Azer Koculu had a dispute with the bathhouse owner and decided to pack his shit and go play somewhere else. And then half the websites on the internet broke, including behemoths such as Netflix.
It turned out that every project that used NPM, without knowing it, depended on Mr. Koculu’s specific strain of monkeypox being present in the disease pool, and without it, the viral biome of the bathhouse became out of balance, and overnight everyone began to die of ebola-cancer-covid-aids.
This is not an abberation. This practice is such a massive problem that roughly 60% of security bugs in projects that use NPM come from hostile code in the disease pool. Surprisingly, the practice of taking random code that people post the internet and just blindly trusting it without even reading it carries security risks.
In my projects, I just plainly refuse to use NPM. But others, particularly those who care about being Diverse and Inclusive and Being Part of the Open Source Developer LGBTQIAARPAIDSASAGDMFPC++ Community insist upon using NPM because of course it’s Industry Standard Practice.
Most projects count on the fact that their competition is exposed to exactly the same disease pool that they are. And you know… writing your own code is HARD right? Right? Nobody knows how to do that. It’s Much Easier to just reuse other people’s code. Just like it’s better to reuse other people’s condoms. It’s called being green. Get with the times or get out, bigot.
That reminds me of an incident from the latter period of the covid retardation. I was in the liquor store, which at the time had a mask mandate. Dude A tries to walk in the store without a mask, and the clerk stops him and tells him he needs to wear a mask. Dude B happens to be leaving at the same time, and just hands Dude A his mask (which Dude B was just wearing). To be sanitary, Dude A flipped it around so his mouth didn’t touch the portion of the mask that Dude B’s mouth was touching. That would be gay. The clerk let him in. (This entire exchange took place in full view of the clerk).
I’ve seen some projects try to take some measures to mitigate NPM risk. Nobody has ever decided to just write their own code. That would be stupid. By far my favorite instance of this is Ethereum’s attempt to mitigate the bathhouse problem.
Ethereum is for the most part a complete fucking shitshow from top to bottom. Like not as in a disaster type of shitshow, I mean the sort of shitshow you see in the really weird gay bathhouses for people who are into that sort of thing.
I hate using radiator words, but sometimes they’re appropriate, and this is one such instance: I feel like I’m gaslighting myself every time I tell people what LavaMoat is. Like I get that twinge in my stomach that you get when you exaggerate something slightly in order to make a point. And then I go re-read their website to fact check myself and invariably I stumble upon some new horrific detail and actually it’s worse than what I said.
This time I noticed this gem:
It’s not just a runtime. It’s also a build system and packaging tool. I… you know what, this isn’t even the point I want to make
I want to talk about the title of that article:
Using LavaMoat To Solve Software Supply Chain Security
Imagine being a person who knows what words mean and not only thinking those words, but then also writing them down, and then posting something that retarded in public.
I don’t believe the Ethereum people are that retarded, despite what they clearly want us to think (remember NFTs?). There are finite limits to the human capacity for retardation, and the phrase "To Solve Software Supply Chain Security" is orders of magnitude beyond any such limitation.
Rather what I suspect we’re seeing here is an instance of The Cannon Conjugate.
The idea of The Cannon Conjugate is that whenever you hear a buzzword or the name of some government program, or some weird corporate phrase, you think about what it means from the perspective of the people who came up with it.
The classic example is "social security". "Welfare". "Public health". "Public education".
Sometimes they’re less obvious and you have to think about cases where words might have multiple possible meanings and your brain, acting out of charity, picks the wrong one.
"Fact checking" is such an example. To "check" facts in this context means not to check facts as in to verify them, but rather to check facts as one would check an opposing player in a hockey game. You can tell this is the case because "fact checkers" didn’t exist until the truth started getting out.
What might it mean To Solve Software Supply Chain Security? What is the problem being solved there? There’s no way to know. And that’s not really what I want you to take away from this article.
What I want you to take away is The Cannon Conjugate. I’ve found it to be a very valuable tool in my cognitive toolkit, and I hope you will too.