[HN Gopher] No, you cannot trust third party code without readin...
___________________________________________________________________
No, you cannot trust third party code without reading it first
Author : lycopodiopsida
Score : 7 points
Date : 2022-08-11 20:57 UTC (2 hours ago)
(HTM) web link (unixsheikh.com)
(TXT) w3m dump (unixsheikh.com)
| chmaynard wrote:
| I agree with the spirit of this post, but the idea of reading and
| understanding the code doesn't scale well. Perhaps a better way
| of expressing this is "trust, but verify". How trust is
| established varies depending on the size of the library and the
| reputation of the author(s). Verification obviously means
| rigorous testing.
| smt88 wrote:
| The article gives up on its clickbait headline almost
| immediately:
|
| > _Of course you cannot do that with everything, you cannot read
| all the source code for the kernel of the operating system you
| 're running, you cannot read all the code that makes up the
| compiler or interpreter you're using, but that is not the point
| at all, of course some level of trust is always required. The
| point is that you need to do it when you're dealing with code you
| are writing and importing!_
|
| OK, so we're drawing an arbitrary line of what we read and what
| we don't.
|
| A basic web application at this point is going to import at least
| 10k lines of other people's code. A React app probably uses
| millions.
|
| There's just no way around this. We all trust code we haven't
| read and have to continue doing it.
|
| Reading code doesn't even guarantee finding security flaws. Most
| of us aren't security researchers, and none of us can understand
| an entire project's source code the first time we read it.
| [deleted]
___________________________________________________________________
(page generated 2022-08-11 23:01 UTC)