Disagree.
-
-
Replying to @pcwalton
How do you vet and security check them all? Any process one can put in place scales badly with the number of dependencies.
2 replies 0 retweets 9 likes -
Replying to @mitsuhiko
How do you vet and security check all the OS libraries you depend on? I think people like to complain about Cargo, NPM, etc. because they make the complexity of software very visible, when the real issue is just that software is complex.
7 replies 9 retweets 38 likes -
Replying to @pcwalton
I come from the Python world which has significantly fewer dependencies do to the restrictions of the import system. There the total number of involved actors is much smaller and easier to audit.
2 replies 0 retweets 0 likes -
Replying to @mitsuhiko @pcwalton
As an example every sentry dependency in Python is signed off now. Nobody is allowed to add a new one without sign-off.
1 reply 0 retweets 0 likes -
-
Replying to @pcwalton @mitsuhiko
So if someone writes a homebrew implementation of AES-GCM, that doesn’t require signoff, but importing NaCl would? Seems like that policy makes security worse, not better!
2 replies 1 retweet 0 likes -
Replying to @pcwalton
That’s not a realistic concern because nobody writes that. On the other hand we do specifically not allow the use of third party api libraries for things like slack or jira to ensure our network restriction system is used.
1 reply 0 retweets 0 likes -
Replying to @mitsuhiko
People absolutely do write their own crypto code, with disastrous results. See Cryptocat.
0 replies 0 retweets 0 likes -
This Tweet is unavailable.
There’s no fundamental difference. Crypto just had to figure things out before the rest of the industry did, because the stakes are higher. Software is hard, and that’s why we need to converge on mature well-tested implementations of things instead of rewriting forever.
-
-
This Tweet is unavailable.
-
This Tweet is unavailable.
- 1 more reply
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.