Comment by 0x457
1 year ago
Are you reviewing code you're pulling into your code base (that is usually organized and counted in lines, smartass) or authors?
Either way, with rust it's a handful of authors, but just because they are proven to be good faith actors, doesn't mean trust in their code is implied when we're talking about supply chain hardening.
From upthread:
> This is assuming that the audit consists of validating dependency authorship, and not the more labor-intensive approach of reviewing dependency code.
So, obviously: authors.
I took your reply of "hard no" to be a rejection of validating authors as sufficient hardening and an assertion that only line-by-line code review meets your standards. Fine, but if your answer is always going to be "doesn't matter, not good enough", we can't have a reasonable conversation about how best to validate authors.
No, line-by-line meets my standard. I don't think just validating authorship is enough.