[javert]

> Our dependency tree has steadily grown to almost four hundred third-party crates, and we have thus far lacked a mechanism to efficiently audit this code and ensure that we do so systematically. (-Firefox)

Wow. This makes me feel like I have to stop using Firefox.

I wonder if others feel the same, or have a different analysis. For example, is the situation with Chrome better?

[hampereddustbin]

At times like these I'm reminded of the phrase “If you wish to make an apple pie from scratch, you must first invent the universe”

You have to rely on something in life, just like in an office building you can't realistically check the structure inside-out, or if you can, how can you make sure that the individual components are actually of the material they say they are? Have you double-checked your local water table yourself? Have you done geological studies to uncover vulnerabilities the subcontracting firm building the office may not have done correctly? What is the effect of local radio-interference or power quality on your equipment? Are your UPS-devices actually performing to spec?

[II2II]

> At times like these I'm reminded of the phrase “If you wish to make an apple pie from scratch, you must first invent the universe”

Sure, but it may also be a comparison between grandma's apple pie and the apple pie from the supermarket. If you never looked at the ingredient list of the latter, you're bound to be surprised at what you're getting. If grandma hand picked her apples from the back yard, you may be unhappy to learn about the pesticides used for commercially grown apples.

> You have to rely on something in life, just like in an office building you can't realistically check the structure inside-out, or if you can, how can you make sure that the individual components are actually of the material they say they are?

In that case, there are building codes as well as checks to ensure they are followed. While it is possible for someone to ignore those codes, there is also a cost for doing so if you are caught. For the most part, the software industry doesn't have building codes. If something fails, software licenses are generally written to avoid accountability. About the only constraint is the negative response of the market, but even that can be managed to some degree.

[fulafel]

If your standard is that third party code must be audited, you'll have quite a small selection of software to use. It's mostly all running on faith and reputation and counting on good intentions. (Like society generally!)

[cxr]

The specific issue described is a recent development. I'm a former Mozillian, and this is surprising to hear. In the pre-Rust days, this NPM-style fractal-of-dependencies approach wasn't a thing in Gecko/Firefox, and anyone naively insisting that this is just how things work in software development (and purportedly have to work) was someone who demonstrably didn't know what they were talking about. Looks like we've lost some of the "demonstrably" part.

[fulafel]

I wasn't talking about Firefox specifically, I could have made that more explicit... But it's good to hear that Mozilla has good culture for this. If there is something you can say or link to about systematic third party code auditing at Mozilla, eg are results public, it would be interesting to hear. Or about how many vulnerabilities are discovered in code audits vs post-shipping security testing like fuzzing and other pentesting-y activities.

(Of course good control of versions is still a worthy goal for many situations even if you don't do this)

[dredmorbius]

It's quite likely that this is an accurate desctiption of much development generally, and that Mozilla are simply more transparent about the situation than most vendors.

Though Google's deep pockets for security work do likely convey advantage.

[hsbauauvhabzb]

It’s the current state of development as a whole. I assume most browsers and operating systems do this.

[azakai]

That is not the case.

In fact, Firefox itself did not do this until recent years.

It is true that modern JS development often works that way (as does Rust and some others), but it is not the norm in all ecosystems, and definitely wasn't in browsers.

[sgift]

I very much doubt that Firefox and most other internal software didn't do this until recent years though usually in a more ad-hoc manner, i.e. "oh look, that code does what I want ... but eh .. how can I add that as dependency, far too much work, let's copy it into our tree", which gives you all the downsides of the current state without any of the upsides.

[azakai]

I can tell you as a former Firefox developer that that was not the case. Yes, Firefox has some dependencies copied into the tree, but deciding to do it, and the process afterwards (including updating), were very careful and slow.

Of course there may have been exceptions I am not aware of, and developers are humans that can make mistakes, but that is the overall culture I experienced. It is fundamentally different to the JS/Rust/etc. ecosystem models.

[pengaru]

> Wow. This makes me feel like I have to stop using Firefox.

I already had that urge in a powerful way after the last ESR update filled my browser with seemingly impossible to remove Bing and Google search hooks, among other obnoxious commercial b.s. I specifically use Firefox to not have shoved in my face at the browser internals level.

I'd probably be using Epiphany/GNOME Web full-time if it provided a noscript analog.