undefined | Better HN

0 pointsChrisMarshallNY3y ago0 comments

I'm not arguing, but the standard response (caveat emptor, basically):

> pull that code in without looking at it

Is no longer reasonable. The dependency chains are too vast to expect the end-user to be able to audit the whole thing.

There are a couple of options:

1) Don't use open-source code, and make sure that commercial code that you use doesn't have it.

2) Have some kind of "regulated middleman" auditors, or certification authorities, that can certify (and probably hash) "approved" open-source chains.

They both suck. I worked for a company that did #1. They hired a company (can't remember the name, but it started with "P") that scanned our entire codebase, looking for open source.

#2 is likely to result in either corruption, or "roadblocks," where we can't use new fixed libraries, because the chain hasn't been audited, yet.

0 comments

4 comments · 3 top-level

yjftsjthsd-h3y ago· 1 in thread

It sounds like you want to get something for nothing. If you want software that meets some given standard, then someone has to invest the effort to make that happen. This isn't always expensive, but it's never free. So your options are indeed that if that should happen, then it has to be done by the author, an intermediate party, or the consumer. Trying to make the author pay when they're not getting anything out of it is a great way to kill FOSS outright. That's not to say that "open-source code" is some boogeyman that has to be kept away, it just means that you gotta pay someone to make it meet your standards. Heck, offer the original author a contract and you'll solve the problem for everyone, and other problems besides.

ChrisMarshallNYOP3y ago

> It sounds like you want to get something for nothing.

Not exactly sure how you read that from what I wrote. Maybe you were replying to someone else?

#1 is definitely not free. My company paid a bundle for that audit; far more, than if they had simply licensed commercial software.

#2 would require some kind of paid “middlemen.” The biggest problem would be that the money would not go to the authors, but to the auditors, instead.

JohnFen3y ago

> Is no longer reasonable. The dependency chains are too vast to expect the end-user to be able to audit the whole thing.

The end user shouldn't have to audit the whole thing. The software that includes the dependencies should audit their dependencies.

If that burden is unworkable (and in a lot of cases, it is), that's a sign that the software needs to shed a lot of the dependencies.

gus_massa3y ago

>> pull that code in without looking at it

> Is no longer reasonable. The dependency chains are too vast to expect the end-user to be able to audit the whole thing.

Each open source project is different. For example I'm using:

Racket: Only the main distribution that is created by the development team and a few packages, and ver few additional packages, like 1 or 2 for viewing the assembler version of the compiled functions.

Python: Also only the official distribution, NumPy and perhaps 1 or 2 more packages. The batteries are included, so it's not necessary to download too much.

LaTeX: As many packages as I can add, my coworkers hate me. Each package has a different author and chains to more and more packages. But I'm using MiKTeX and I thrust the maintainer whoever he is [1]

[1] I had to google the name of the maintainer. He is Christian Schenk, I was convinced his name was Michael or something like that.

j / k navigate · click thread line to collapse