undefined | Better HN

0 pointsthayne3y ago0 comments

> haven't previously done much to make sure that that supply chain is robust

I'm doubtful that anything short of requiring thorough security/pen testing on everything in the dependency tree would have prevented log4shell. And if that is the goal here, who is going to pay for that? Most open source projects don't have that kind of funding.

0 comments

1 comments · 1 top-level

dllthomas3y ago

> everything in the dependency tree

With reasonable prioritization, we can probably do a lot to reduce the threat long before we get near everything.

> who is going to pay for that?

Well, this bill does seem to involve hiring FOSS devs, maybe that's partly what they'd do?

j / k navigate · click thread line to collapse