Dan Lorenc

Big week for @chainguard_dev! chainguard.dev/unchained/seri…

@TurnerNovak I have reached an agreement with Chipotle to either acquire a burrito bowl tomorrow for $17 or to pay them $1 for the work we've done together.

@lorenc_dan Does this also come with a $10B breakup fee?

Whoa, congrats to Chainguard on the 2nd biggest partnership of the day!

There's something charming about watching claude build other agents. When you debug prompts and tool calls, you can almost see it empathize with the smaller, weaker agent.

@feross That's not actually what happened with xz-utils or axios man. It's fine to disagree about the right way to solve this! Keep building man!

Chainguard's CEO published a post this week arguing that scanners are "working against an adversary that's already beaten them" and that "the Axios attack was pulled hundreds of thousands of times before a single scanner flagged it." This is factually incorrect. Here's the timeline, all publicly verifiable: plain-crypto-js@4.2.1, the malicious payload, was published to npm on March 30 at 23:59 UTC. @SocketSecurity AI flagged it as malicious at 00:05 UTC. Six minutes. The first compromised Axios version wasn't published until 00:21 UTC, 16 minutes after we'd already flagged the attack. All this version did was add a dependency on the package we'd already caught. Socket customers with AI malware blocking enabled had installs blocked automatically during the entire three-hour exposure window. No CVE required. No luck required. This was independently corroborated by Snyk, Huntress, Orca Security, and InfoQ each of whom published their own analyses of the attack. Calling scanning "theater" while getting the facts of the year's biggest scanning success story wrong doesn't strengthen the argument. Scanners and hardened images aren't competing answers. They're complementary layers. The industry needs both. I agree with part of the post's broader argument. The trust model for open source consumption needs work. I've been maintaining npm packages with billions of cumulative downloads for over a decade. I know what's broken. But you don't fix the trust model by dismissing the defenders who are actually catching attacks and protecting the community. When we catch a malicious package, we report it to the registry and get it taken down. That protects every developer, not just our customers. Their proposed alternative, rebuilding packages from source, doesn't address the attacks that actually matter. The Axios attack was a maintainer account compromise that poisoned the source. xz-utils was a malicious maintainer who spent two years building trust and poisoned the source. Building from source just rebuilds these attacks faithfully. The most consequential supply chain attacks walk right through this model. Building from source doesn't stop bad source. And you don't fix this problem by declaring open source dead while your company's entire product is built on top of it. A Harvard study estimated the demand-side value of widely used open source at $8.8 trillion. The people maintaining that infrastructure are mostly unpaid. When they get targeted by nation-state actors, the answer should be to fund, support, and protect them, not warn enterprises away from their packages so you can sell a replacement. Open source is under attack because of how much value it creates. That's an argument for investing in it, not writing its obituary. Back to building.

@GergelyOrosz We do the opposite and just give you safe ones we've built ourselves.

What are vendors that offer scanning of PRs or repos to protect against malicious dependencies? I know of Sonar (Advanced Security), Socket .dev, JFrog. What else do you know of or use and what does it do? (At some point, you want more than just pinning an old package version)

LinkedIn is going to go wild when they hear about this next week: browsergate.eu

@GergelyOrosz Would love to do a podcast with you about this!

Supply chain attacks are becoming more frequent, and far more serious. What are sensible practices to protect against these when using Node or Python packages? I assume pinning versions is the bare minimum; for those with security teams / tools: why else do you do / can you do?

@andrew__reed No babe I love your dependencies. The pinned ones scare me.

@lorenc_dan it’s scary as hell out there rn

Software supply chain is the main event that hasn’t hit mainstream media yet

some news; @latentpatterns 🤝 @chainguard_dev Chainguard will provide secure images for the embedded terminals within Latent Patterns. You’ll be able to run Claude code from within your browser. Zero api key provisioning or software installation. It just works, even on a Chromebook, from your browser... Thanks @lorenc_dan 🍻 ps. @chainguard_dev is hiring, and Dan mentioned employees get a near-unlimited budget for tokens...

Multicloud, my take on Gastown is alive, self-hosting, and cranking. Gastown showed me the future, this is my version of it. Check it out! github.com/dlorenc/multic…

Send help. I ignored all the instructions and used my Polecats with the Refinery. The Mayor and Deacon reported me to the Witness and the Sheriff is after me.

If working in OSS sometimes feels like running on a treadmill, then “done” software is the rare moment when the pace finally eases. By @lorenc_dan, thanks to @chainguard_dev thenewstack.io/put-a-fork-in-…

@InfraScaler @topjohnwu Clown is a job requirement for me so thankfully I'm good

@lorenc_dan @topjohnwu Have you ever had a job where the description didn't match that of a clown?

The recent FFmpeg drama with Google is insane, and I'm surprised that so many people agree with FFmpeg's take on X. Google isn't even demanding FFmpeg's maintainer to fix the security bug. Are we living in a world now that sending LEGITIMATE bug reports is suddenly a sin?

@InfraScaler @topjohnwu Have you ever worked in security?

@lorenc_dan @topjohnwu Wait, if publishing an unfixed bug in an OSS project made it more secure why would they wait 90 days to do it?

@InfraScaler @topjohnwu Or else they publish the bug so everyone using it can protect themselves...

@topjohnwu Of course they are demanding a fix, hence the 90 days "or else".

I am the main developer fixing security issues in FFmpeg. I have fixed over 2700 google oss fuzz issues. I have fixed most of the BIGSLEEP issues. And i disagree with the comments @ffmpeg (Kieran) has made about google. From all companies, google has been the most helpfull & nice

@chrisprice @0xE1 This is the dumbest thing I've heard. Congrats, again.

@lorenc_dan @0xE1 Dismissing your insult, which honestly, I hope you change how you discuss things with others. I am still willing to have a discussion with you if you cease and desist that behavior. If not, we should just block each other. x.com/chrisprice/sta…

Google literally runs a program to pay people to fix bugs in critical OSS projects. Ffmpeg is explicitly in scope. Anyone can just send a fix and fill out a form and get paid. github.com/google/bughunt… This is all so dumb.