Comments by "TheEvertw" (@TheEvertw) on "Disturbing Cyber-Security Attacks On Software Supply-Chains" video.

  1. Issues like this is why I do not give my credentials for e.g. pushing changes to my repo to a tool like my IDE. I will use the git CLI for pushing code to servers, thank you very much. Security starts with limiting the number of parties you trust with your credentials. I will not entrust an IDE with my credentials, and I think it is wrong of Jetbrains, in this instance, to ask for them. Same for SSH private keys. Of course, the danger from CI / CD pipe-lines is even greater, as these need to have credentials to access the production pipeline. I hope this episode will teach people to be more careful with what they entrust their tools with.
    1