| ▲ | christophilus 5 days ago | |||||||
Yes. I would review any changes to any 3rd party libraries. Why is that unrealistic? Regarding the language itself, I may or may not. Generally, I pick languages that I trust. E.g. I don't trust Google, but I don't think the Go team would intentionally place malware in the core tools. Libraries, however, often are written by random strangers on the internet with a different level of trust. | ||||||||
| ▲ | Eji1700 5 days ago | parent | next [-] | |||||||
> Why is that unrealistic? Because the vast majority of development is done by people with a very narrow focus of skills on an extreme deadline, and you actually comfortable with compression, networking, encryption, IO, and all the other taken for granted libraries that wind up daisy chained together? Because if you are, great, but at the same time, that's not the job description for like 90% of coding jobs. I don't expect my frontend guy to need to know encryption so he can review the form library he's using. | ||||||||
| ||||||||
| ▲ | ashirviskas 5 days ago | parent | prev | next [-] | |||||||
Good for you, but sadly, most people are not like you. Or don't have the opportunity to be like you. | ||||||||
| ▲ | rcxdude 5 days ago | parent | prev [-] | |||||||
How realistic it is depends on how big your dependencies are (in total LOC, not 'number of packages' - something I think gives rust's ecosystem a bad rap, given the tendency for things to be split into lots of packages so the total amount of code you pull in can be minimised). For many projects the LOC of dependencies utterly dwarfs the amount of code in the project itself, and it's pretty infeasible to review it all. | ||||||||