> Doing nothing about it is approximately the least defensible.
Everything you do has a cost. Increased friction which makes people work around it. Lower productivity. Time spent implementing it that cannot be used to implement something more useful.
Don’t just do something. Do something that improves the situation - and google does. Their statement indicates that they consider the developers machine as fundamentally not trusted - and I’d consider that a correct assumption. Some of the thousands of machines will be compromised at any given time. Whether it’s via this exploit, or another or by bribing the engineer doesn’t matter. What matter is that they attempt to contain the issue at that boundary.
I don't know why you interpret that that way, but I sure hope you don't write the autopilot to any planes I might fly in or anythimg else important with such logic.
I did not say or imply or suggest to "do something, anything" without caring if it's sensible or effective.
"anything" simply means there is no limit to the possible suitable things.
There is also no limit to the possible unsuitable things, but so what?
It is beyond stupid to take that starting point and conclude that anyone suggested "Maybe Gooogle should issue Tarot decks to all employees to determine if they should press enter at the end of every shell command." just because, after all, that is something and included in "anything".
I can't know which of the infinite possible detailed measures make sense within Google's environment. But I don't have to to still know that they exist. The details will depend on internal details only they know.
If I say "wrap the pip command in an internal wrapper that performs various checks" surely there is some reason that is not practical or not effective enough, exactly as stated. Or maybe that would exactly clear it all up. But if not, ok so something else then. Have some imagination. But that does not remotely imply random nonsense.
Everything you do has a cost. Increased friction which makes people work around it. Lower productivity. Time spent implementing it that cannot be used to implement something more useful.
Don’t just do something. Do something that improves the situation - and google does. Their statement indicates that they consider the developers machine as fundamentally not trusted - and I’d consider that a correct assumption. Some of the thousands of machines will be compromised at any given time. Whether it’s via this exploit, or another or by bribing the engineer doesn’t matter. What matter is that they attempt to contain the issue at that boundary.