Hacker News new | ask | show | jobs
by paulddraper 2394 days ago
How do you normally trust something?

PostgreSQL has 1257 source files [1], 1,250,000 lines of code [2], and ~400 authors [3].

So...however you'd normally audit that.

Probably look at the number of users, check for CVEs, and cross your fingers.

    [1] find . -name '*.c' | wc -l

    [2] find . -name '*.c' | xargs cat | wc -l

    [3] git log | grep -o 'Author: \S\+ \S\+'  | sort -u | wc -l
2 comments
danudey 2394 days ago
PostgreSQL is one project.

These dependencies are 242 projects, privately managed and unvetted.

I can choose to "trust" the PostgreSQL project, as it's a mature project with high visibility. I can't practically choose to "trust" those 242 projects and gauge the trustworthiness of 179 separate contributors; doing so would take vastly more time than most people have.

Dependency bloat is a huge and frustrating problem, especially for people who want to know where their code is coming from and don't want to have to decide to trust hundreds of people for a random cli tool.

link
marcus_holmes 2394 days ago
good point. Oh wait, no, that's total bullshit.

So, firstly, Postgres takes responsibility for contributions. The fact that someone has submitted a patch or PR is no guarantee that it has been accepted.

Secondly, they combine all those contributors to release specific versions with specific features. I can trust that someone at postgres has reviewed all those contributions to ensure they make the grade and included them in the release for a reason.

Thirdly, Postgres as an institution takes responsibility for the code it releases. If I find something messed up in a postgres release, and report it to postgres, they will take responsibility for that and manage the rest of it.

None of this is true for NPM.

link
paulddraper 2394 days ago
> If I find something messed up in a postgres release, and report it to postgres, they will take responsibility for that and manage the rest of it.

> None of this is true for NPM.

Not as it pertains to bugs, but as it pertains to malicious code (the grandparent's actual question), npm accepts and acts on reports. In fact, their CLI even reports security vulnerabilities in your packages, a feature lacking in almost every other package manager.

If all code were in on source code repo, that all authors contributed too....is that really so big a difference as splitting our the areas of responsibility? What are the chances that Tom Lane looks at every single line of every single patch?

link