My goal for personal Node projects is to keep the dependency graph thin enough that I could reasonably hand-audit every line of third-party code. I'm increasingly convinced everyone should do this. End the bloat.https://twitter.com/toshok/status/951150882778906625 …
-
-
yes, there are chains of trust, regulatory authorities and spot checks for those things in health; what does OSS have that's equivalent?
-
There's stuff like https://www.emberjs.com/security/ . And before you ask, yes, we get security reports and handle them using industry best practices.
-
but as far as I know there isn't a lot of things like the Linux Foundation critical infra project work going through the chain of trust
-
I think issue is it falls on indiv devs and teams to do so much binary entity reputation management & tools like WhiteSource aren't common
-
so there isn't an equivalent of those industry-wide chains of trust that are there in your healthcare metaphor
-
whether it's Node hit a CoC bump and forked itself again or an npm package, it's a burden on devs to know how many turtles down to look
-
I think my healthcare metaphor is too strong (and sloppy) in large part because of how seriously people take medicine. A closer analogy might be construction. Nobody really knows which workers and materials go into a house, but it's ok.
-
Most domains don't have the kind of chain of trust requirements that you're describing, and for good reason. Software in finance and health are subject to more serious restrictions but mostly use coarse grained approaches around data exfiltration.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
