When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
So if someone writes a homebrew implementation of AES-GCM, that doesn’t require signoff, but importing NaCl would? Seems like that policy makes security worse, not better!
-
That’s not a realistic concern because nobody writes that. On the other hand we do specifically not allow the use of third party api libraries for things like slack or jira to ensure our network restriction system is used.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.