Really disturbed by the number of people who think that OSS maintainership have zero responsibility to keep the code secure and reliable. Yes, it's also on the consumer to verify it, but there's the assumption that the maintainer isn't hostile.
Conversation
Replying to
I think that depends a lot on how they've presented the project and whether it's more than just a hobby project. If they made it for fun, aren't earning money from it and never gave anyone a reason to think otherwise I don't think they can be expected to have much responsibility.
1
I was surprised to see there's no package signing in npm, so people were also trusting that this developer used a strong password without reuse elsewhere. Security-critical products depending on hobby projects with no code review or funding is probably a bad idea in general.
2
1
If you're making a product where security is critical and a lot is at stake if you get it wrong, like a cryptocurrency wallet, it's probably a good idea to carefully choose dependencies, figure out who you're trusting and make sure those projects have some resources for security.
1
1
1
I do think OSS developers have responsibility for security, but it depends on the kind of project and the support they're getting. The people using their code share the responsibility for making sure the project has the resources it needs to stay maintained and secure.
Replying to
Totally agree with this. There really needs to be an org that provides security officer type resources to lots of those smaller projects. Issue is, often the users have no good way to contribute to the smaller projects.
1
Replying to
They don't have the expertise to do the security work needed. And there is no way to just give money as the author likely does not have it as well.