They seem to beat their chest in every elaborate highly technical post-mortem as they report the timestamp of events down to the millisecond as if we should be impressed!
Every time they screw up they write an elaborate postmortem and pat themselves on the back.
Don't get me wrong, better have the postmortem than not.
But at this point it seems like the only thing they are good at is writing incident postmortem blog posts.
The malicious code had nothing to do with the stylus package. One of the maintainers of stylus published malicious code in another package, and GitHub / npmjs response was to nuke ALL packages that he was a maintainer of, including stylus.
At a minimum I consider it like an automatic "garbage collection" mechanism that prevents dead and abandoned things to remain "valid forever".
It also helps with things such as change of ownership so after a certain period of time you can have the peace of mind that certs potentially issued by the previous owners are not lingering around as active (I understand things such as revoking and pinning can help with this too but It's nice to have a plain time based expiry too).
I'm deeply deeply against offering self-hosted SaaS.
In summary because it takes you from a world where 1 instance of your application exists under your full control to a world where 1000 instances of your application exists all over the place outside of your control.
At that point you turn into a "classic" software vendor where you have to help people "operate" your software. After you have long moved on from something someone will still be on the version from 3 years ago and talking to you about "upgrade/migration path".
I firmly prefer a world where there is only "one operator" for the product and I fully manage 1 instance of the product as a total black box and the end users use it as a ... hello? ... "as a service".
My advice is unless someone cares enough to write you a life-changing check ... stay away from it.
reply