Every time someone claims that "the problem" with software is too many dependencies, they're really arguing for software to remain at the "leeches for blood letting" stage of evolution. In all industries, we stand on the shoulders of giants by abstracting what we already know.
-
Show this thread
-
I think it's reasonable to ask that we do a better job of identifying the equivalent of "experimental treatments" so people can do a proper risk assessment, but assuming that "everything published to npm" is automatically suspect is not the right heuristic.
3 replies 2 retweets 14 likesShow this thread -
Replying to @wycats
The threat model is that unknown actors can deliver malicious code to a public repository that can't be easily reviewed (the build process is obscured: uglified javascript pushed to npm not matching the source code). We shouldn't use "compiled" objects from untrusted sources.
2 replies 0 retweets 0 likes -
Replying to @kennethmayer @wycats
I guess I should offer a solution: Do the "compilation" phase locally, during your build process. otoh The Linux distros have built up trust that their compiled packages are "clean." So I'll download compiled packages from Debian, Ubuntu, etc. Because of time constraints.
1 reply 0 retweets 1 like
This is the direction Ember is going in, fwiw. Among other things, minified code loses semantic information you could use to do better whole program compilation.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.