Ehh, I think GP was saying it doesn’t fit with the tone of a message board reply, so it seems cut and paste from some outside place. Either a press release, a review snippet, or AI.
One would imagine they are broadly similar; but that's off the assumption that codebases are similar as well.
Migrations between versions can have big variance largely as a function of the parent codebase and not the dependency change. A simple example of this would be a supported node version bump. It's common to lose support for older node runtimes with new dependency versions, but migrating the parent codebase may require large custom efforts like changing module systems.
This was created by Zach Latta, who runs an awesome non profit called Hack Club that produces some of the top high school technical talent through community coding clubs. Highly encourage you donate to Hack Club!
Hack Club is amazing! I've gotten so many amazing opportunities to build stuff and help out with events. I got to build and run waka.hackclub.com (selfhosted wakatime backend) and at its peak we got over 21 thousand kids tracking over a quarter million hours in the software i built. Crazy experience. Getting to talk and interact with other techy teens is the best part about it though; we have a massive slack which generates the best techy conversations I typically have on a day to day basis.
I run a sw supply chain company (fossa.com) -- agree that there's a lot of low hanging gains like inventory still around. There is a shocking amount of very basic but invisible surface area that leads to downstream attack vectors.
From a company's PoV -- I think you'd have to just assume all 3rd party code is popped and install some kind of control step given that assumption. I like the idea of reviewing all 3rd party code as if its your own which is now possible with some scalable code review tools.
Those projects seem to devolve into a boil the ocean style projects and tend to be viewed as intractable and thus ignorable.
In the days everything was http I use to set a proxy variable and have the proxy save all downloaded assets to compair later, today I would probably blacklist the public CAs and do an intercept, just for the data of what is grabbing what.
Fedramp was defunded and is moving forward with a GOA style agile model. If you have the resources I would highly encourage you to participate in conversations.
The timelines are tight and they are trying to move fast, so look into their GitHub discussions and see if you can move it forward.
There is a chance to make real changes but they need feedback now.
+1, I think you have to assume owned as well and start defending from there. Companies like edera are betting on that, but sandbox isn't panacea, you really need some way to know expected behavior.
Very interesting research -- possibilities are endless for personalization, rigging, character animation. Especially interesting how few frames it takes to accomplish this.
