|
|
|
|
|
|
by Tainnor
2121 days ago
|
|
|
Maybe we need some sort of "trust model" for dependencies. E.g. if you depend on a package, you'll have to explicitly state that you trust it. Conversely, a package author may declare that not only are they responsible for their own code, they have also either only used trusted dependencies, or declare their own trust (e.g. by review) of certain dependencies, so that you can transitively build up a trust chain... In practice, that would all be much more difficult, of course. But it would surface the underlying issue which is that while code reuse is fine and acceptable, using unvetted code is not. |
|
|