Do you check that the doctor you see at the clinic isn't an imposter?
-
-
I go to a reputable clinic that vets the people who work there, which is not something npm does with its contents
1 reply 0 retweets 0 likes -
Does your clinic carefully vet the provenance of every equipment and drug delivery?
1 reply 0 retweets 2 likes -
Replying to @wycats @segphault and
yes, there are chains of trust, regulatory authorities and spot checks for those things in health; what does OSS have that's equivalent?
1 reply 0 retweets 0 likes -
Replying to @marypcbuk @segphault and
There's stuff like https://www.emberjs.com/security/ . And before you ask, yes, we get security reports and handle them using industry best practices.
1 reply 0 retweets 1 like -
Replying to @wycats @segphault and
but as far as I know there isn't a lot of things like the Linux Foundation critical infra project work going through the chain of trust
1 reply 0 retweets 0 likes -
Replying to @marypcbuk @wycats and
I think issue is it falls on indiv devs and teams to do so much binary entity reputation management & tools like WhiteSource aren't common
1 reply 0 retweets 1 like -
Replying to @marypcbuk @wycats and
so there isn't an equivalent of those industry-wide chains of trust that are there in your healthcare metaphor
1 reply 0 retweets 0 likes -
Replying to @marypcbuk @wycats and
whether it's Node hit a CoC bump and forked itself again or an npm package, it's a burden on devs to know how many turtles down to look
1 reply 0 retweets 1 like -
Replying to @marypcbuk @segphault and
I think my healthcare metaphor is too strong (and sloppy) in large part because of how seriously people take medicine. A closer analogy might be construction. Nobody really knows which workers and materials go into a house, but it's ok.
2 replies 0 retweets 1 like
Most domains don't have the kind of chain of trust requirements that you're describing, and for good reason. Software in finance and health are subject to more serious restrictions but mostly use coarse grained approaches around data exfiltration.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.