Comment by FridgeSeal
2 years ago
> Those that care, CI/CD only fetches from internal repos, and stuff is only uploaded into them after an audit.
It would be really interesting to do a survey about this, so that we can get some stats and breakdown by industry, language, size, etc about where this happens. I gather some places do this, but I’ve never met anyone, or worked anywhere that does this.
One way to not include any unaudited open source code is not to include any open source code!
I think when people point it out—that open source code is great, but comes with no strings attached and no guarantees, so you need to audit it to use it safely—they are often trying to say something about the ecosystem. That dependency growth is out of control. That it isn’t really as simple as git pulling the code in.
Relatively common in industries whose main purpose is not to sell software, and tend to have restrictions in place that fortunelly are coming to everyone via the cybersecurity bills of several governments.