|
|
|
|
|
|
by OhMeadhbh
27 days ago
|
|
|
No. It is partially due to trivial dependencies. With so many dependencies it is very difficult to evaluate the security posture of all the teams that are inserting themselves into your code. When I publish commercial software for Unices that use shared object libraries, one of the things we do before publishing is review known vulnerabilities of our 10 dependencies. That is a tractable number. I get a senior engineer to spend time with an intern and step them through the evaluation criteria. If the team managing a particular library grows lax over time with respect to responding to vulnerabilities, we move away from using that library. And we can do these things because there are a tractable number of dependencies. But yes, also GitHub is not pure as the driven slush. I agree with you on that. |
|
|