When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
No but see next qualifier: we _do_ believe (whether true or not) that there's some kind of checking / reviewing funnel on "authors of the windows kernel", both on hiring, ongoing management, and per-commit review by colleagues.
-
Here is the thought experiment to do: is it currently easier -- seriously, think it over -- to adopt an abandoned dep and ship an exploit as a minor rev; or is it easier to get a job as a junior programmer at microsoft and smuggle an exploit past your senior engineer reviewer?
- 13 more replies
New conversation -
-
-
I only need to trust one entity for Windows: Microsoft.
-
That reasoning is giving you a false sense of security.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.