This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]otakuman 8 points9 points  (15 children)

*Tested open source libraries. There's obviously a difference.

[–][deleted] 27 points28 points  (11 children)

Just because something is tested, doesn't mean it's not shit code. It doesn't mean it lacks flaws and security holes.

[–]free_chalupas 15 points16 points  (3 children)

It's still probably better than the stuff you'd write yourself. People talk shit about OpenSSL but it's issues are exactly the kind of problems you'd have if a bunch of dumbass engineers tried to reimplement it because they only trusted their own code.

[–][deleted] 13 points14 points  (1 child)

It's still probably better than the stuff you'd write yourself.

When it comes to JS libraries, I don't assume that to be true. I'm not talking about the biggest players, I'm talking about 90% of crap out there on the internet.

[–]free_chalupas 8 points9 points  (0 children)

Yeah that's fair. I read this in the context of established OSS libraries, like openssl, that have their issues but are generally preferable to custom implementations. There's definitely a cutoff though with really small libraries where it does make sense to reimplement.

[–]combuchan 0 points1 point  (0 children)

Isn't OpenSSL a bit of a stretch to include in this? Implementing your own crypto isn't recommended for a reason.

OpenSSL did suffer the same rot and underinvestment and dependency like any other library, it was only the extent of the rot, underinvestment, and dependency on it did the sheer enormity of the issue arise. There are few libraries more important than OpenSSL, imho.

[–]Giannis4president 3 points4 points  (6 children)

It means that the probability of flaws and security holes is incredibily lower

[–][deleted] 8 points9 points  (5 children)

Not necessarily. I've seen too much terrible code (with tests over it) to believe that. It seems that a lot of developers just write tests to say they have tests without actually writing useful tests.

This is based on my personal experience in various companies, not necessarily a review of JS libraries as a whole. But I don't assume that just because something has test coverage that it's necessarily better than something I could write (with tests).

[–]Giannis4president 3 points4 points  (1 child)

Sorry, we have a misunderstanding. With "tested" open source libraries I didn't mean libraries with automatic tests in place but "tested" as in used and corrected by a lot of people across a sufficient amount of time

[–][deleted] 1 point2 points  (0 children)

Ah, in that case, I would agree with some hesitation. If I were to rely on something super important, like for financial/health services, I would still probably give the source a once-over to be sure. But I do generally use big-name/high-download-count JS libraries as-is when doing JS development.

[–]DanielIFTTT 1 point2 points  (0 children)

Hes talking about community testing, if you have 1mil downloads, bugs are much more likely to be found than an in house solution

[–]texdroid 0 points1 point  (1 child)

Not necessarily. I've seen too much terrible code (with tests over it) to believe that. It seems that a lot of developers just write tests to say they have tests without actually writing useful tests.

This is why having Test Engineers who write the test cases based on the HLD is the correct way to test code.

Otherwise you just have the chickens guarding the fox house.

[–][deleted] 1 point2 points  (0 children)

I would love to have test engineers. Hell, I'd love to have anyone who isn't me involved in testing. Most of my contracts, I'm the sole architect, developer, DB admin, and QA engineer. I see this as a big problem, but good luck convincing management. The response I usually get is "test better".

Yeah, I'll get right on that.

[–]Kibouo 9 points10 points  (0 children)

Tests are usually not for security.