Really disturbed by the number of people who think that OSS maintainership have zero responsibility to keep the code secure and reliable. Yes, it's also on the consumer to verify it, but there's the assumption that the maintainer isn't hostile.
Conversation
Replying to
I think that depends a lot on how they've presented the project and whether it's more than just a hobby project. If they made it for fun, aren't earning money from it and never gave anyone a reason to think otherwise I don't think they can be expected to have much responsibility.
1
I was surprised to see there's no package signing in npm, so people were also trusting that this developer used a strong password without reuse elsewhere. Security-critical products depending on hobby projects with no code review or funding is probably a bad idea in general.
If you're making a product where security is critical and a lot is at stake if you get it wrong, like a cryptocurrency wallet, it's probably a good idea to carefully choose dependencies, figure out who you're trusting and make sure those projects have some resources for security.
1
1
1
I do think OSS developers have responsibility for security, but it depends on the kind of project and the support they're getting. The people using their code share the responsibility for making sure the project has the resources it needs to stay maintained and secure.
2
Show replies
Replying to
Yep. I remember when I called out docker on the lack of signing of container images. One guy said it was a wanted feature from very early. Turns out bug number was around 2000, so far from an early feature.
1
Also, as was pointed out, npm did not verify that the mimified version of the code matched the published version. That needs to be fixed. Either npm generates it, or locally generated at install time.