When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
So if someone writes a homebrew implementation of AES-GCM, that doesn’t require signoff, but importing NaCl would? Seems like that policy makes security worse, not better!
-
-
That’s not a realistic concern because nobody writes that. On the other hand we do specifically not allow the use of third party api libraries for things like slack or jira to ensure our network restriction system is used.
-
People absolutely do write their own crypto code, with disastrous results. See Cryptocat.
- 5 more replies
New conversation -
-
-
You might say this is pointless but I strongly disagree with our opinion here. This is the only realistic way to ensure user data is safe. I doubt Mozilla would be happy to ship thousands of unvetted JS libraries in Firefox either.
-
Mozilla is already shipping a whole lot of Cargo dependencies in Firefox.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.