@ecammtweets Ok, good to know! I can move to the next stage of grief now. Let me know if there are any former user meetups where we can all stare glumly at the punch bowl. :P
English
Michael Prescott @ Sonatype
149 posts
Michael Prescott @ Sonatype
@devcasing
Product Director, Nexus Repository
Toronto, Ontario 加入时间 Kasım 2017
46 关注72 粉丝
@devcasing Hi Michael! No, we don't have any plans to update iGlasses, unfortunately.
English
@ecammtweets Big fan of iGlasses. Any plans to update it to work with recent Mac OS versions? Mine loads but does nothing, and no apps seem to find it as a camera.
English
@Zoom Please add an affordance to this invisible button, every time I move the Zoom window on my desktop I turn off screen sharing without realizing it.
English
Michael Prescott @ Sonatype 已转推
I’ve spent much time thinking about why organizations struggle to understand the implications of the rise in malicious oss compared to typical vulnerabilities.
It ultimately comes down to psychology. In this article, I explore the psychological barriers that prevent effective action against these threats.
forbes.com/sites/forbeste…
English
Michael Prescott @ Sonatype 已转推
🚨 an example of an adversary trying to push their malware as a coding solution. Please be careful with any dependencies
Ax Sharma@Ax_Sharma
A threat actor is now advising StackOverflow devs seeking debugging help to install a 'pytoileur' #Python package as a "solution" to their code troubles. 🛑DO NOT fall for this, it's a trap—the package has encoded code hidden on line 17 via whitespaces and infects Windows users with #trojan as soon as it's installed! sonatype.com/blog/pypi-cryp… #opensource #malware
English
Michael Prescott @ Sonatype 已转推
Michael Prescott @ Sonatype 已转推
A stark reminder from the attack on XZ & libzma: It's more than a vulnerability, it's a calculated assault on the stretched open-source infrastructure of our digital world. Read my full take on the implications, actions you can take and the urgent call for collective vigilance
blog.sonatype.com/cve-2024-3094-…
English
make direct, unprotected public registry access a real risk. Older supply chain attacks were trying to sneak a bad library into production, but newer attacks are targeting development secrets and infrastructure. Hard to develop securely when half the dev boxes have been owned!
English
We've changed our stance over the years, we now recommend actually blocking developer access to public registries and force everyone through the proxy. We used to think of that as draconian, but the explosion of supply chain attacks in volume and variety—
English
@Aaronontheweb, useful video, thanks for posting. What we'd normally recommend is that the policy for legitimate component sources be centralized, rather than implemented at a per-project level. Make it completely transparent to project teams so it can't be skipped or forgotten.
Aaron Stannard@Aaronontheweb
I think these two can be used in combination with each other, but one issue you might run into is that JFrog can actually work to the detriment of some of NuGet's security features. For instance, if your apps ONLY install packages from your local JFrog feed which itself proxies packages from multiple upstreams, you're still susceptible to spoofing attacks that package source mapping would effectively prevent. That same type of security feature would also need to exist in JFrog's feed proxying infrastructure to provide the same level of protection.
English
Michael Prescott @ Sonatype 已转推
📢 Today marks a new era! Introducing SBOM Manager - the industry's first integrated system of record for managing SBOMs! A powerful, one-stop shop for easy, cost-effective, and compliant #SBOM management, monitoring, and distribution. bit.ly/4cnJpPU
English
Michael Prescott @ Sonatype 已转推
How to get started with Repository Health Check (RHC) 2.0, available in Sonatype Nexus Repository Manager 3.3: share.sonatype.social/nfjeu
English
I don't cry that often, but every now and again I hit ⌘ + Option + m to add a comment to a Google doc in view-only mode. Chrome handles that as a request to minimize all fifty of my browser windows across five desktops and dump them in the Dock bar. T_T
English
Michael Prescott @ Sonatype 已转推
Well, the CRA passed through committee in a way that will avoid further discussion. There's zero chance they knew there were still significant issues and yet here we are.
Read more: devops.com/the-cyber-resi…
Current status:
English
Nothing worse than letting the wrong particles into your SDLC.
Playful Python@playfulpython
CERN uses Nexus as a package repository. They then have a proxy that merges the internal repository with the index on PyPI. One issue they had to take care of is dependency confusion where a library with same name is present on PyPI as well as the internal repository
English
Michael Prescott @ Sonatype 已转推
Sonatype Named a Leader in The Forrester Wave™ for Software Composition Analysis securityboulevard.com/2023/06/sonaty…
English