Popular posts

I'm impressed that people are advocating reviewing all dependencies. It's admirable, but I have to wonder...

• First, how do you get anything done? I get that the army does strict reviews, but how much time do you spend on most applications that you have time for this?
• Second, how far do you go? There are lots of implicit dependencies. Do you review the compiler/interpreter? And all the OS libraries that uses? For every update?

It seems like you might be able to spot incompetently written code, but for malicious code, one has to assume it is hidden away in the last place you look.

It also seems really inefficient if everyone would review all their dependencies. Tens of thousands of people would review some libraries.

It'd be nice if reviews were more public. One might have more faith in a package if one knew it had been reviewed by 20 others before. But then how do you trust the reviewers?

As for open source, I don't feel that's the problem. At least with open source, you get the chance to do reviews.

As a fun fact, I once found that a library I wanted to use had a bunch of code encoded as whitespace (tabs, spaces, newlines), with two lines to eval it. There wasn't even any malicious code, someone just obfuscated it for the fun of it...