There is still the chance that the person that created the 4 line dependency also just copy pasted it from the flawed StackOverflow answer. Or is the same person or is also just a random person creating the package like the random person that created the SO answer. I'm not sure why random_person1 should be more trustworthy to produce non flawed code than random_person2.
OTO: It's at least easily upgrade able so it has an advantage.
There is still the chance that the person that created the 4 line dependency also just copy pasted it from the flawed StackOverflow answer. Or is the same person or is also just a random person creating the package like the random person that created the SO answer. I'm not sure why random_person1 should be more trustworthy to produce non flawed code than random_person2.
OTO: It's at least easily upgrade able so it has an advantage.
> There is still the chance
There's no chance if you avoid random_person1 and use known_oss_provider’s package instead. At the very least, look at the tests.
Any package with tests is guaranteed to be more correct than a never-before-run SO answer.
There is still the chance. As the article states, OpenJDK copied from the Stack Overflow answer.
1 reply →
What if you write the code and test in your project?