notes VS sudo

This change would certainly have helped against the infamous "Gathering weak npm credentials" research[0] from 2017, but I think that most recent supply chain security issues (in NPM, at least) have been due to: 1) typosquatting, 2) developers deliberately adding malicious (or unwanted) code into their own packages, and 3) deep transitive dependencies on packages that have genuine bugs that lead to vulnerabilities.

It's not clear that this 2FA requirement would fix any of those problems, but it could one day allow package management tools to flag up when one developer has given/sold control of their package over to someone else who has less of a reputation and might be malicious, as was the case with the event-stream package.[1]

[0] https://github.com/ChALkeR/notes/blob/master/Gathering-weak-...

[1] https://www.eweek.com/security/node.js-event-stream-hack-exp...

According to one research, 14% of the Node Package Manager is affected with some or the other security issues. So, what is the cause of these security issues?

In 2015, Nikita Andreevich Skovoroda, a member of the Node.js Technical Steering Committee, performed a scan on GitHub search and npm. Afterwards, he was able to obtain over 100 passwords and nearly 200 tokens for accounts associated with a number of frequently installed packages.

It depends on whether sudo was compiled with --disable-env-reset or not, it's on by default[1].

Also some variables are inherited regardless (e.g. DISPLAY, TERM), and some useful ones (e.g. HOME) are initialized by sudo, but I can't tell where that's done.

[1]: https://github.com/sudo-project/sudo/blob/ef52db46f9b375d7ff...

Side note that I've always found interesting: sudo is almost entirely maintained by one dude: https://github.com/sudo-project/sudo/graphs/contributors

The n=2 case also occurs in the commit: https://github.com/sudo-project/sudo/commit/7873f8334c8d3103...

And indeed, the two values ate bitwise complements.

One feature they didn't mention they left out was the ability to run `make me a sandwich` (https://github.com/sudo-project/sudo/blob/main/Makefile.in#L...)

It's (kind of) back - https://github.com/sudo-project/sudo/commit/9757d29a24ac1872872cf09757b0439c54089707

└───────────────────────────────────────────────────────────────────────────────────────┘

As a comparison, this is the output for https://github.com/sudo-project/sudo:

       0.0439 secs

Complete list (can be found here, files ins_*.h):

Fun fact, the “incident will be reported” message was close to being removed from sudo recently: https://github.com/sudo-project/sudo/commit/6aa320c96a37613663e8de4c275bd6c490466b01