|
|
|
|
|
|
by cxr
1083 days ago
|
|
|
> I'd say better tools could help in some ways, but you still have the fundamental problem that even if I go and download Github's or Stripe's schema from their codebase and statically link it into my code, I don't control when they deploy their systems. > They can literally update it in the FUTURE, and static checks fundamentally can't handle that -- only dynamic checks can. You're not wrong, but you are underselling what reasonably disciplined adherents to a static regime can use to their advantage. ---- My favorite commentary (in favor of your position of what static can't do*) include: - some remarks Gilad Bracha once made on some podcast (might've been Software Engineering Radio) about how hardware at base is not static, which feels somewhat counterintuitive when low high-level languages like C are in the same room suggesting that the truth is otherwise - Lars Bak giving an interview about V8 at Microsoft to Erik Meijer and Charles Torre(?) where Lars breaks the latter's brain by pointing out that even if JS hadn't won and you were dealing with a purportedly better static language like C# compiled down to CIL, then the engine would still apply the same treatment to the payload it received, insofar as performing "inefficient" dynamic validation * which happens to be my position, too, to be clear |
|
|