Comment by orf
1 year ago
Hard yes, burden scales with number of authors and not number of lines.
That’s… the whole rationale about not liking lots of small packages.
1 year ago
Hard yes, burden scales with number of authors and not number of lines.
That’s… the whole rationale about not liking lots of small packages.
Are you reviewing code you're pulling into your code base (that is usually organized and counted in lines, smartass) or authors?
Either way, with rust it's a handful of authors, but just because they are proven to be good faith actors, doesn't mean trust in their code is implied when we're talking about supply chain hardening.
From upthread:
> This is assuming that the audit consists of validating dependency authorship, and not the more labor-intensive approach of reviewing dependency code.
So, obviously: authors.
I took your reply of "hard no" to be a rejection of validating authors as sufficient hardening and an assertion that only line-by-line code review meets your standards. Fine, but if your answer is always going to be "doesn't matter, not good enough", we can't have a reasonable conversation about how best to validate authors.
No, line-by-line meets my standard. I don't think just validating authorship is enough.
That depends on whether you want to vet the authors or the code itself.
Sure, but then we could just take all the dependency code and put it in single line to make it quicker to review.