Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
AIorNot 7 hours ago

So your supposed to write your own posthog? be serious

anonymous908213 6 hours ago | parent | next [-]

Yes. If your shop is serious about security, it is in no way unreasonable to be building out tools like that in-house, or else paying a real vendor with real security practices for their product. If you're an independent developer, the entirety of Posthog is overkill, and you can instead write the specific features you need yourself.

reconnecting 6 hours ago | parent [-]

We had created a sort of Posthog, but for product security analytics (1), and after 4 years of development I can confirm it's not something that you can easily create in-house.

1. https://github.com/tirrenotechnologies/tirreno

exasperaited 6 hours ago | parent | prev | next [-]

I tell people this over and over and over: every time you use a third party dependency, especially an ongoing one, you should consider that you are adding the developers to your team and importing their prior decisions and their biases. You add them to your circle of trust.

You can't just scale out a team without assessing who you are adding to it: what is their reputation? where did they learn?

It's not quite the same questions when picking a library but it is the same process. Who wrote it? What else did they write? Does the code look like we could manage it if the developer quits, etc.

Nobody's saying you shouldn't use third party dependency. But nobody benefits if we pretend that adding a dependency isn't a lot like adding a person.

So yeah, if you need all of posthog without adding posthog's team to yours, you're going to have to write it yourself.

reconnecting 6 hours ago | parent [-]

> I tell people this over and over and over: every time you use a third party dependency, especially an ongoing one, you should consider that you are adding the developers to your team and importing their prior decisions and their biases. You add them to your circle of trust.

Thanks! Now, I will also tell this to developers.

dkdbejwi383 7 hours ago | parent | prev [-]

If they have a HTTP API using standard authentication methods it's not that difficult to create a simple wrapper. Granted a bit more work if you want to do things like input/output validation too, but there's a trade-off between ownership there and avoiding these kinds of supply-chain attacks.

jacquesm 7 hours ago | parent [-]

> Granted a bit more work if you want to do things like input/output validation too,

A bit? A proper input validator is a lot of work.

dkdbejwi383 6 hours ago | parent [-]

If you aim for 100% coverage of the API you're integrating with, sure. But for most applications you're going to only be touching a small surface area, so you can validate paths you know you'll hit. Most of the time you probably don't need 100% parity, you need Just Enough for your use-case.

jacquesm 6 hours ago | parent [-]

That's an excellent way to get bitten.

dkdbejwi383 6 hours ago | parent [-]

I'm not sure how you mean.

To my understanding, there's less surface area for problems if I have a wrapper over the one or two endpoints some API provides, which I've written and maintain myself, over importing some library that wraps all 100 endpoints the API provides, but which is too large for me to fully audit.