|
|
|
|
|
|
by vlovich123
1608 days ago
|
|
|
Everyone seems to be accepting the premise but I’ll reject it. For-pay software has lots of bad security vulnerabilities too. SolarWinds is an example. Windows and Office exploits. Browser 0-days. Etc etc It’s almost like software is extremely complex and security is very hard in general. You’re always going to make some kind of trade off. The problem is that we as humans don’t know how to correctly estimate risks like security risks. That means it’s not priced in when you go and ask “should I incorporate software package X into my build??”. “Should I automatically take updates from my upstream?”. There’s no good answers here either. Ultimately you need to be careful about which dependencies you take on and which ones need to be kept up with and which ones should be pinned (but even in the best case scenario issues will occur) |
|
|