I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc. but they do assess if the entities that write + support them are worth trusting. This is likely the only realistic approach for complex JavaScript apps also.
Right. And that's really bad.
> I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.
Right, but some people do. Hire one of them. (And if your "props dept." can't keep up with the changes to all the things that's also really bad.)
> they do assess if the entities that write + support them are worth trusting.
No one is a magic code elf. (Some people come close. Fabrice Bellard might count. But even that worthy commits bugs.)
Like I said in a sib comment, yeah, some things get a pass. Bash shell for example. Then again, remember e.g. "heartbleed"?
> Right. And that's really bad.
> > I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.
> Right, but some people do. Hire one of them.
The interesting question isn't if you can do it, it's when should you, to what extent, and how much it will cost.
"Always do it, do it in-depth, the time consumed isn't important and the budget isn't important" is a bad approach for example and isn't helpful to the OP.
Successful software development is all about making appropriate tradeoffs - you're not going to get very far by conducting your own OpenSSL audit when all you want to do is write a todo web app.
