I'm absolutely not suggesting that. I'm suggesting that the fact that almost no meaningful AAA system exists for distributed software development teams is an interesting and worthwhile problem to focus attention on.
-
-
Let me define "small" differently: a dependency you would feel little difficulty in rewriting yourself. Especially if picked up transitively, without even noticing it. The concern here is that people are underestimating the additional auth & audit risk when making that judgement.
-
I have the opposite concern. People *feel* little difficulty rewriting text shaping. Then they ship Latin-only apps. There are costs the other way too, and programmers frequently underestimate *those* costs.
- 7 more replies
New conversation -
-
-
This Tweet is unavailable.
-
I’m not talking about writing a competitor to libsodium! People can feel free to do that. I’m talking about programmers writing home-brew implementations of crypto into their random apps because they don’t want to take dependencies.
End of conversation
-
-
-
It can also be dangerous to reuse code that's poorly implemented or maintained. This is particularly true with cryptography. I often see libraries as a painful compromise because I know I could do a better job if I had the time to invest. Sometimes I can't make that compromise.
-
Yeah, the flip side of “never write your own ___” is when everyone ends up uncritically using a poor off the shelf implementation, whose flaws then end up getting revealed
- 21 more replies
New conversation -
-
-
If verifying crypto is anything like every other formal verification effort, I suspect 200 lines of crypto are a lot more dangerous to rewrite than 20.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.