Grafana Labs internal source code accessed(twitter.com)

61 pointsby jschorr8 hours ago9 comments

kunley3 hours ago
I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).
Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much
- mhitza31 minutes ago
  Jobs are trully ridiculous in today's market. Not only you have to be "AI-native" with more years of experience with GenAI code, than the time it started getting popular, but you also get jobs that require you to know Claude Code in'n out, as if no other agent coding exists.
- pllbnk2 hours ago
  The companies are now so often looking for "AI engineers" or "engineers with AI experience" which is crazy given how current generation of AI tools are in very early stages and spending a lot of time mastering them might be time well wasted if many of them actually believe in any further advances, much less AGI. If what AI overlords promise is to materialize, then all these primitive tools like agents, MCPs, plugins (or "marketplaces" which is crazy that LLMs couldn't help them come up with a better name) and whatnot should be just an insignificant blip in the history of AI evolution.
  - sshinean hour ago
    Companies that care about the 3-15 months of agentic engineering experience you could possibly have (15 months if you count by the launch of Claude Code, 3 months if you count by when that term was coined) don't think about AGI. They think about immediate productivity gains and not working against company culture from the very beginning of their employment.
    I remember one job interview where the team lead interviewing me and I had completely different takes on static vs. dynamic typing. It was an awkward moment when we realized we'd never agree, and attempting to cooperate would be very burdensome. Don't hire someone who thinks what you're doing is stupid. AI really divides the waters, better be up front.
oori6 hours ago
Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”
- deathanatos5 hours ago
  Don't pay the Dane-geld: https://en.wikipedia.org/wiki/Dane-geld_(poem)
  - christkv3 hours ago
    All you get is more Danes
dijksterhuis5 hours ago
non-twitter link https://xcancel.com/grafana/status/2055827123236171827#m
londons_explore4 hours ago
Is there anything of value in the internal codebase?
So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.
- Rapzid3 hours ago
  Maybe some EE stuff like SSO and etc? Unfortunately layering that stuff on is super low effort in these LLM days.
  - dijit3 hours ago
    Grafana OSS does support SSO out of the box, at least OIDC (which is a technically superior standard to SAML w.r.t. security).
    The Enterprise edition seems to focus a lot on meta-information about grafana itself: the most frequently accessed dashboard, who is viewing the current dashboard etc.
    Theres also group-sync, I guess, which is useful, but honestly the selling point of enterprise is the support I think.
    In fact, I might buy enterprise following this, the fact that so much is in the base product gives me the warm fuzzies.
jwr3 hours ago
"Threat actor"… I love this "security" lingo. Threat actors, attack vectors, state actors :-)
- scotty792 hours ago
  Let's hope they don't go kinetic.
sangeeth965 hours ago
I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.
[1] https://youtu.be/4D068lS85NY
iririririr6 hours ago
aren't they just psql tho? well, i guess we will find out soon.
anotherhue7 hours ago
Their whole repo had been made public !!!!
https://github.com/grafana/grafana
/s
- jchw6 hours ago
  This is worse than the Linux kernel source code leaks of April 1st.
- esseph5 hours ago
  I think they mean grafana cloud.
fsckboy5 hours ago
>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.
I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?
you can't just drop in buzzwords willy nilly, they buzz better in the right places.