That's a contradiction, a bucket name being treated as a secret in IaC, while being a user facing resource. So no, they're not user facing resources.

If anyone wants them to be user facing resources, then treat them as such, and ensure they're secure, and don't store sensitive info on them. Otherwise, put a service infront of them, and have the user go through it.

The S3 protocol was meant to make the lives of programmers easier, not end users.

I started treating long random bucketnames as secrets years ago. Ever since I noticed hackers were discovering buckets online with secrets and healthcare info.

This is where IaC shines.

They can't, anyone who uses the tool correctly will be indistinguishable from their regular code contributions.

The ones that make the headlines here on HN are not subtle at all, they're probably the bottom of the barrel of AI users.

It's a fine balancing act between getting the latest updates and avoiding supply chain attacks.

I completely understand the author here, because I'm actually also leaning more towards avoiding supply chain attacks than jumping on the latest CVEs.

It's just a gut feeling, rooted in 25 years of experience as a sysadmin, but I feel like a supply chain attack can do a lot more damage in general than most unpatched known vulnerabilities.

Just based on my own personal experiences, no real data.

I'll try to put words to it, but a supply chain attack is more focused, higher chance of infilitration. While a CVE very rarely is exploited en masse, and exploitation often comes with many caveats.

That combined with the current state of the world, where supply chain attacks seem to be a very high profile target for state actors.

I thought it was 2014 when it launched? The article says the command line interface hasn't changed since 2013.