Comment by 0x457
1 year ago
Hard no. Burden scales with number of lines. Lines being split into smaller chunks (crates) only speed up the process in long run.
1 year ago
Hard no. Burden scales with number of lines. Lines being split into smaller chunks (crates) only speed up the process in long run.
Hard yes, burden scales with number of authors and not number of lines.
That’s… the whole rationale about not liking lots of small packages.
Are you reviewing code you're pulling into your code base (that is usually organized and counted in lines, smartass) or authors?
Either way, with rust it's a handful of authors, but just because they are proven to be good faith actors, doesn't mean trust in their code is implied when we're talking about supply chain hardening.
From upthread:
> This is assuming that the audit consists of validating dependency authorship, and not the more labor-intensive approach of reviewing dependency code.
So, obviously: authors.
I took your reply of "hard no" to be a rejection of validating authors as sufficient hardening and an assertion that only line-by-line code review meets your standards. Fine, but if your answer is always going to be "doesn't matter, not good enough", we can't have a reasonable conversation about how best to validate authors.
1 reply →
That depends on whether you want to vet the authors or the code itself.
Sure, but then we could just take all the dependency code and put it in single line to make it quicker to review.