Really disturbed by the number of people who think that OSS maintainership have zero responsibility to keep the code secure and reliable. Yes, it's also on the consumer to verify it, but there's the assumption that the maintainer isn't hostile.
Conversation
Replying to
I think that depends a lot on how they've presented the project and whether it's more than just a hobby project. If they made it for fun, aren't earning money from it and never gave anyone a reason to think otherwise I don't think they can be expected to have much responsibility.
I was surprised to see there's no package signing in npm, so people were also trusting that this developer used a strong password without reuse elsewhere. Security-critical products depending on hobby projects with no code review or funding is probably a bad idea in general.
2
1
If you're making a product where security is critical and a lot is at stake if you get it wrong, like a cryptocurrency wallet, it's probably a good idea to carefully choose dependencies, figure out who you're trusting and make sure those projects have some resources for security.
1
1
1
Show replies