Comment by dcow
7 years ago
I’m not in any loop and nothing about the post came across as douchey. In fact, it seems many people need to be reminded about who is responsible for putting open source code in any project especially after reading the disgustingly entitled comment thread on the recent nodejs security issue.
You think its disgustingly douchey for people to be dismayed that software from a trustworthy dev was turned over to someone who turned it into malware?
The dev isn't responsible for the giant mound of stupid that is npm but we all have to take the world as we find it or fix it.
In the context of the world as it is projects deps having deps having deps where the practical protection against a developers machine getting pwned and eventually millions of users getting pwned is more or less developers checking to ascertain that a given library is bob who works for google and not lame hacker number 2388 its poorly considered to hand over libraries to people you have no reason to suppose are trustworthy. A reasonable person could suppose that might not end well for a multitude of projects where 182 deps of deps of deps aren't vetted again per point release because in practical fact its impractical to do so while it is very practical for individual authors to not transfer control of names and publish info about their authorship.
Unlike never updating or expecting individual orgs to vet 182 deps written by anon people with every bump so a reasonable person ought to do their best to make the workflow that might have some hope of working work.
If you didn't want ANY responsibility whatsoever you could have not published it globally.
Anyone who imagines that responsibility is merely transcriptional that it only attaches when money changes hands has literally missed the majority of human civilization including the more recent parts where people that give away free food are still expected to wash their hands, get food handlers cards, practice food safety, pass inspections etc. You aren't required to provide a vegan or kosher option or even make good food but you can't behave maliciously or negligently.
Given how projects are actually used by virtually everyone authors actions appear negligent. Given the hypothetical bad actually already happened it appears that judgement is irrefutable.
You are your brothers keeper whether you want to be or not. Software isn't special it works like every other civilized endeavor. Wash your hands and don't scratch your ass please.
In the context I work, I expect external software to be audited when incorporated into a project. It should be a significant decision backed by clear rationale to depend on someone else’s code not simply a convenience because we’re all lazy devs. I review diffs when updating library versions and guide people to prefer writing in-house solutions over including pop-software libraries. I hold my team accountable for the software they produce. I don’t disagree that everything works better when we all play nice, but I also don’t agree with deflecting the blame when your software is compromised because it doesn’t actually solve the problem and allows the same poor habits to continue unchecked. If you don’t understand a dependency enough to implement it yourself were it to disappear or break, you shouldn’t be using it.
> recent nodejs security issue.
Uh-oh. I hadn't been aware of this. Do you have a link, please? (Quick google didn't help much.)
It's possible that they're referring to this crypto-currency backdoor that was slipped into the event-stream dependency?
https://github.com/dominictarr/event-stream/issues/116
Edit: it attempts to steal crypto-currency; it doesn't mine it.
Also, er, bloody hell. These comments are completely out of hand. Examples:
"You put at risk millions of people, and making something for free, but public, means you are responsible for the package."
"There is a huge difference between not maintaining a repo/package, vs giving it away to a hacker (which actually takes more effort than doing nothing), then denying all responsibility to fix it when it affects millions of innocent people."
Where do these people get off?
Thanks!