|
|
|
|
|
|
by rectang
270 days ago
|
|
|
I don’t think the current state of software development is irredeemable. Ongoing downstream review of all dependency code is practical for only a tiny fraction of projects; for most projects using publisher reputation as a proxy for package safety is reasonable. What’s not working is the low-standards package managers where inconveniencing authors is never acceptable because the whole enterprise is built on popularity with authors — you can’t trust that what those package managers give you reflects author intent. |
|
|