undefined | Better HN

0 pointsadmax88q6y ago0 comments

I don't get why people who even admit that they dont trust these random npm packages can think its okay to ship them in production and put all their user's data at risk. It's malpractice.

0 comments

nothrabannosir6y ago

I’d love to know a metric of trust and its relation to customer data. How many trust points for how much PII? I’m assuming it’s a logarithmic scale? And a Debian stable package gets , what, double the points of an npm package? Or I guess it depends on the weekly downloads? What about pip, gems, vim plugins, emacs packages (I’m looking at you melpa) , quicklisp, ...

Then we can play an honest thought experiment: how many people satisfy that metric? Don’t forget to correct for actually how much PII points one is handling.

If you don’t at least have some consideration of those factors, claiming malpractice seems fatuous.

admax88qOP6y ago

It's not a question of establishing an absolute scale of trust. It's about admitting that you consider npm packages to be insecure, but you run them in production anyways.

Imagine you believed that steel had a 10% chance of spontaneous combustion, regardless of whether its true or not, if you believe that and you still built a bridge out of it, that's malpractice.

nothrabannosir6y ago

Point being where is the line? How high are the stakes (bridge: say 20 human lives at any time, very important). How dangerous is it really? (10% chance of fire per year: extremely high). Then you combine those two and see if they match.

Everything has a limit. Otherwise why do you trust your compiler, your computer, your eyes, your sanity?

Be careful with a word like malpractice, and analogies that suggest blithe endangerment of human lives. It doesn’t leave a lot of room for honest engagement and suggests you either don’t understand the human mind, or the value of a human life.

1 more reply

j / k navigate · click thread line to collapse

0 comments

nothrabannosir6y ago

Then we can play an honest thought experiment: how many people satisfy that metric? Don’t forget to correct for actually how much PII points one is handling.

If you don’t at least have some consideration of those factors, claiming malpractice seems fatuous.

admax88qOP6y ago

It's not a question of establishing an absolute scale of trust. It's about admitting that you consider npm packages to be insecure, but you run them in production anyways.

Imagine you believed that steel had a 10% chance of spontaneous combustion, regardless of whether its true or not, if you believe that and you still built a bridge out of it, that's malpractice.

nothrabannosir6y ago

Everything has a limit. Otherwise why do you trust your compiler, your computer, your eyes, your sanity?

1 more reply

j / k navigate · click thread line to collapse