This all started after the xz backdoor incident. Since then, I can’t shake the thought that if I install the wrong thing, it could mess things up really badly. At the same time, these tools could make my life at work so much easier.
Emacs is another example. With or without packages, it installs a bunch of stuff I don’t really understand. Because of that, I usually just stick to the basics: VS Code, Terraform, kubectl—tools I feel safer with because they come from well-known sources.
So I’m curious: how do you deal with this? Do you ever worry about your work machine getting compromised because of an open-source tool you installed? Any advice is appreciated.
0x3f•1h ago
In an average startup/mid-size (i.e. a place with no enforced controls) I really doubt the soft expectation would be for you as a random engineer to pre-empt something like the xz backdoor. Or be worried about something as well-used as k9s/emacs.
Of course, some companies are special cases with different expectations and requirements, ymmv.