Hacker News new | ask | show | jobs
by seanwilson 2185 days ago
I just don't see how anyone could realistically look at all the lines of code that any nontrivial JavaScript app relies on in any depth.

I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc. but they do assess if the entities that write + support them are worth trusting. This is likely the only realistic approach for complex JavaScript apps also.
1 comments
carapace 2184 days ago
> I just don't see how anyone could realistically look at all the lines of code that any nontrivial JavaScript app relies on in any depth.

Right. And that's really bad.

> I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.

Right, but some people do. Hire one of them. (And if your "props dept." can't keep up with the changes to all the things that's also really bad.)

> they do assess if the entities that write + support them are worth trusting.

No one is a magic code elf. (Some people come close. Fabrice Bellard might count. But even that worthy commits bugs.)

Like I said in a sib comment, yeah, some things get a pass. Bash shell for example. Then again, remember e.g. "heartbleed"?

link
seanwilson 2184 days ago
> > I just don't see how anyone could realistically look at all the lines of code that any nontrivial JavaScript app relies on in any depth.

> Right. And that's really bad.

> > I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.

> Right, but some people do. Hire one of them.

The interesting question isn't if you can do it, it's when should you, to what extent, and how much it will cost.

"Always do it, do it in-depth, the time consumed isn't important and the budget isn't important" is a bad approach for example and isn't helpful to the OP.

Successful software development is all about making appropriate tradeoffs - you're not going to get very far by conducting your own OpenSSL audit when all you want to do is write a todo web app.

link
carapace 2184 days ago
Hey I'm just answering the question, yeah? We do it. It's not that hard. You pay the overhead upfront and have fewer surprises. Read the "Hollywood Secrets" book, it makes a lot of IMO good points.

I once helped a guy build a go-cart out of an old lawn mower engine and a bed frame. It was a lot of fun. We didn't do any research, we just made it.

If I'm provisioning a commercial fleet (for a delivery service or something) I'm going to do my homework to make sure the cars we deploy are low-maintenance, high-mileage, with a good safety record, etc.

link