[stomato]

If you're a US citizen, vote for someone that will keep it going. Some have promised to undo a lot that the current administration has done, and this might be part of that.

I'm not aware of any free code from Trump so far, btw.

Also, when his campaign has tried to code, they fail:

http://qz.com/762424/trumps-campaign-donation-website-used-o...

"A programmer named Shu Uesugi, an engineer at a California company called EdSurge, discovered a major flaw with the way Trump’s website was using jQuery. Instead of downloading the open-source code from GitHub and running it off a server they controlled, the developers who built Trump’s website simply ran the code off GitHub directly, Uesugi found.

While the code’s location might seem like a minor detail, running it off GitHub meant that the person who controlled the code on GitHub could change the code at his whim, and those changes would take hold on Trump’s website. Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website, if the change was approved by the plug-in’s author, a developer in Lisbon named Igor Escobar."

Then Igor tweeted about how he could have modified it: https://twitter.com/igorescobar/status/766367306662440960?re...

[Aaron1011]

> Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website, if the change was approved by the plug-in’s author, a developer in Lisbon named Igor Escobar."

That's how it works for any open source project you use, regardless of where it's been hosted. Unless you review the entire codebase (as well as all changes made in new releases), you're trusting the maintainers' judgement.

[inimino]

That's not exactly the same as choosing to use something that is hosted on someone else's server, which they could then subsequently modify now that you are using it in a very high-profile project.

Of course, judging candidates' by the code quality of their campaign websites is a rather obscure and somewhat useless pastime.

[GrinningFool]

True (on both counts). And yet it's common practice to include libs, fonts, and other bits from third party sites that the dev has no control over

[TeMPOraL]

It's a stupid and lazy practice. It's common because most web developers aren't exactly highly trained specialists who know what they're doing.

[Aaron1011]

I agree that it's still bad practice. My main objection was to the statement "Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website". If don't trust the maintainers' judgement in merging PRs, hosting it yourself isn't a solution (short of reviewing the entire project yourself).

[infinite8s]

I think the concern here is that the maintainer could subsequently merge a malicious PR knowing who was using the library from GitHub. That wouldn't be an issue if that group was hosting a version themselves (before the maintainer might find out who was using it).

[gkop]

I agree it's overblown (based on the article).

Was it sourced from a particular SHA or a "latest" link?

[Aaron1011]

Oddly enough, it appears to have linked to the project's Github Pages site: 'https://igorescobar.github.io/jQuery-Mask-Plugin/js/jquery.m... (see https://web.archive.org/web/20160817080309/https://secure.do... for the original page).

This still wasn't a good idea, but for a different reason - it's relying on the demo at https://igorescobar.github.io/jQuery-Mask-Plugin/ continuing to exist, and continuing to host the plugin at that same path.

[ianhawes]

Full disclosure, this mistake was not made by the campaign directly, but rather by Revv.co, who is the payments software provider (not processor, DJT is using Stripe).