[Aaron1011]

> Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website, if the change was approved by the plug-in’s author, a developer in Lisbon named Igor Escobar."

That's how it works for any open source project you use, regardless of where it's been hosted. Unless you review the entire codebase (as well as all changes made in new releases), you're trusting the maintainers' judgement.

[inimino]

That's not exactly the same as choosing to use something that is hosted on someone else's server, which they could then subsequently modify now that you are using it in a very high-profile project.

Of course, judging candidates' by the code quality of their campaign websites is a rather obscure and somewhat useless pastime.

[GrinningFool]

True (on both counts). And yet it's common practice to include libs, fonts, and other bits from third party sites that the dev has no control over

[TeMPOraL]

It's a stupid and lazy practice. It's common because most web developers aren't exactly highly trained specialists who know what they're doing.

[Aaron1011]

I agree that it's still bad practice. My main objection was to the statement "Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website". If don't trust the maintainers' judgement in merging PRs, hosting it yourself isn't a solution (short of reviewing the entire project yourself).

[infinite8s]

I think the concern here is that the maintainer could subsequently merge a malicious PR knowing who was using the library from GitHub. That wouldn't be an issue if that group was hosting a version themselves (before the maintainer might find out who was using it).

[gkop]

I agree it's overblown (based on the article).

Was it sourced from a particular SHA or a "latest" link?

[Aaron1011]

Oddly enough, it appears to have linked to the project's Github Pages site: 'https://igorescobar.github.io/jQuery-Mask-Plugin/js/jquery.m... (see https://web.archive.org/web/20160817080309/https://secure.do... for the original page).

This still wasn't a good idea, but for a different reason - it's relying on the demo at https://igorescobar.github.io/jQuery-Mask-Plugin/ continuing to exist, and continuing to host the plugin at that same path.

[ianhawes]

Full disclosure, this mistake was not made by the campaign directly, but rather by Revv.co, who is the payments software provider (not processor, DJT is using Stripe).