While I recognize that in some ways npm, pip, etc have massively contributed to the success of their corresponding programming languages, the thought of implicitly trusting all of those...
While I recognize that in some ways npm, pip, etc have massively contributed to the success of their corresponding programming languages, the thought of implicitly trusting all of those dependencies terrifies the shit out of me.
The solution is probably to find the most successful packages and re-write/integrate them into the languages standard library. The goal being to pull those highly popular dependencies into a...
The solution is probably to find the most successful packages and re-write/integrate them into the languages standard library. The goal being to pull those highly popular dependencies into a 'secure' channel.
I think the obvious issue at that point is how is all that organized, managed, and funded.
Yes, we have to decide how much we want to trade off when we pick our point along the spectrum of "inspect everything to make sure it's safe and secure" <--> "save yourself the trouble and trust...
Yes, we have to decide how much we want to trade off when we pick our point along the spectrum of "inspect everything to make sure it's safe and secure" <--> "save yourself the trouble and trust everything".
Myself, I don't check everything, but I certainly do inspect the codebases of new, small dependencies. Same thing for plugins and extensions of browsers or other applications.
While I recognize that in some ways
npm,pip, etc have massively contributed to the success of their corresponding programming languages, the thought of implicitly trusting all of those dependencies terrifies the shit out of me.I don't know how we as an industry do it, tbh.
The solution is probably to find the most successful packages and re-write/integrate them into the languages standard library. The goal being to pull those highly popular dependencies into a 'secure' channel.
I think the obvious issue at that point is how is all that organized, managed, and funded.
Yes, we have to decide how much we want to trade off when we pick our point along the spectrum of "inspect everything to make sure it's safe and secure" <--> "save yourself the trouble and trust everything".
Myself, I don't check everything, but I certainly do inspect the codebases of new, small dependencies. Same thing for plugins and extensions of browsers or other applications.
Author's own post about it: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610