undefined | Better HN

0 pointsmarcus_holmes6y ago0 comments

good point. Oh wait, no, that's total bullshit.

So, firstly, Postgres takes responsibility for contributions. The fact that someone has submitted a patch or PR is no guarantee that it has been accepted.

Secondly, they combine all those contributors to release specific versions with specific features. I can trust that someone at postgres has reviewed all those contributions to ensure they make the grade and included them in the release for a reason.

Thirdly, Postgres as an institution takes responsibility for the code it releases. If I find something messed up in a postgres release, and report it to postgres, they will take responsibility for that and manage the rest of it.

None of this is true for NPM.

0 comments

paulddraper6y ago

> If I find something messed up in a postgres release, and report it to postgres, they will take responsibility for that and manage the rest of it.

> None of this is true for NPM.

Not as it pertains to bugs, but as it pertains to malicious code (the grandparent's actual question), npm accepts and acts on reports. In fact, their CLI even reports security vulnerabilities in your packages, a feature lacking in almost every other package manager.

If all code were in on source code repo, that all authors contributed too....is that really so big a difference as splitting our the areas of responsibility? What are the chances that Tom Lane looks at every single line of every single patch?

j / k navigate · click thread line to collapse