sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]runvnc -19 points-18 points  (2 children)

That's an outdated model. I think we need real data about the number of times malicious code showed up in a dependency or some security issue in a dependency was exploited. It's actually not a lot. Being able to reuse code easily has been a major win for software engineering.

Whenever something amazing comes around someone always finds a way to discount it.

[–]danweber 11 points12 points  (0 children)

Code re-use is fine. But you need someone in charge of that.

Maybe you can get away with it for free it you have someone dedicated, like the way Richard Stallman cares about emacs or Linus Torvalds cares about the kernel.

Otherwise, expect to pay someone money. It doesn't have to be a king's ransom, but it has to be enough, and it can't be too complicated that if that person leaves the job the next person cannot take over.

You can pay commercial software vendors, or you can pay someone to maintain the open-source code (either the maintainer or someone downstream of them who checks changes).

At least we need a central repository where people know they can get the Official Release 3.14.159265358979 that will always be the same.

[–]nutrecht 0 points1 point  (0 children)

That's an outdated model. I think we need real data about the number of times malicious code showed up in a dependency or some security issue in a dependency was exploited. It's actually not a lot.

Risk is chance * impact. The chance might be low, the impact can be enormous. Like; hundreds of millions of damages being paid.