[temac]

Besides the political statement, do you have any technical opinion about an organization such as Chef shipping things that have runtime deps to third parties?

[sethvargo]

It wasn’t a political statement. I have a few thoughts in general. These aren’t specific to this situation.

First, always minimize runtime dependencies. I personally prefer compiled things for this very reason.

Second, if you’re going to include a third party dependency, how are you auditing it? There’s an unexplored area around security here too. The Node.js ecosystem has had a series of incidents where popular packages have had cryptocurrency miners injected into otherwise helpful packages. If you’re depending on third party runtime dependencies: how are you auditing changes and contributions, how are you scanning for vulnerabilities, how are you patching those vulnerabilities if you don’t have an internal fork upon which you build?

Third, RubyGems is a volunteer-run organization. I believe other software ecosystems are similar. From my understanding of the situation, a RubyGems outage would have had similar effect.

[kortilla]

Compromised third party libs are absolutely not “an unexplored area around security”. It’s a super well-known threat.

[sethvargo]

Sorry - by “unexplored” I meant “not a topic I’ve seen discussed at length with regard to this particular issue”

[autotune]

What are your thoughts on Golang?

[lowmagnet]

If you use Go, then try one of the new self-hosted repositories, such as github.com/gomods/athens since it allows you to archive every dependency you ever update so you can always retrieve past dependencies.

[sethvargo]

I believe you should use whatever language is practical for your use case.