| ▲ | zdw a day ago | |
> You cannot offer a taxi service in a car that is not fit for the road, and then just shrug when it crashes a people get hurt. The problem is that there's no overt way to tell whether the "car" (code) you're looking at is someone's experimental go-kart made by lashing a motor to a few boards, or a well tested and security analyzed commercial product, without explicitly doing those processes on your own. The problem is all the go-kart hobbyists who make moderately popular go-kart designs end up being asked for all sorts of commercial territory requirements. The people on the consuming end think "reliability is their job!" and try to force all their requirements and obligations onto the go-kart makers, which usually doesn't end well. | ||
| ▲ | jjav 13 hours ago | parent | next [-] | |
> The problem is that there's no overt way to tell whether the "car" (code) you're looking at is someone's experimental go-kart made by lashing a motor to a few boards, or a well tested and security analyzed commercial product, without explicitly doing those processes on your own. Yes you can, companies just don't like the answer. To run with that analogy, if you are setting up that taxi company, will you build your fleet by picking up free gokarts around the neighborhood, or by purchasing cars from a known manufacturer who has gone through crash testing etc? Not particularly different for software. If you need certified quality, you need to pay the providers fairly substantial amounts of money for that. | ||
| ▲ | hnlmorg a day ago | parent | prev | next [-] | |
Important security packages should be audited by 3rd party researchers and their results shared. For example https://github.com/RustCrypto/RSA?tab=readme-ov-file If you’re using a security package and it isn’t either a shim over an existing API (eg porting a C-library to a non-C language) or it fails to provide evidence of independent audits, then steer clear or it. Most other domains are generally much easier for the developer to audit. However I will say in an age of AI, it will become much easier than it already is to inadvertently pull bad packages. | ||
| ▲ | unethical_ban a day ago | parent | prev [-] | |
One could have different tiers of repository for different levels of trust. In arch Linux, I trust the base repositories more than AUR. | ||