Indeed. Unlike the contents of npm, there are presumably groups of people reviewing that code and making sure internet randos aren't putting in whatever they want.
but as far as I know there isn't a lot of things like the Linux Foundation critical infra project work going through the chain of trust
-
-
I think issue is it falls on indiv devs and teams to do so much binary entity reputation management & tools like WhiteSource aren't common
-
so there isn't an equivalent of those industry-wide chains of trust that are there in your healthcare metaphor
-
whether it's Node hit a CoC bump and forked itself again or an npm package, it's a burden on devs to know how many turtles down to look
- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
