undefined | Better HN

0 pointsrubber_duck6y ago0 comments

I don't think nightly builds are the same thing as releases - you can have CI publish a build but to create a versioned public release it should require manual auth.

0 comments

raesene96y ago

That's a view of course (although in the case of gVisor they don't actually do versioned build just nightlies) but here's a question.

As a consumer of software libraries, have you ever looked into the security practices of the library author before choosing whether to use it or not?

ryanbrunner6y ago

This is becoming increasingly impractical for certain ecosystems as packages depend on packages, which depend on packages, etc. It's less of a problem with the bundler ecosystem, where larger packages with relatively few dependencies is more standard, but in the JS world installing a package means that you're likely installing tens or hundreds of sub-dependencies.

rubber_duckOP6y ago

I did review two small libs I was pulling that had very few users (and froze the version) But that's just the thing - I will never be in a position to do that for more than a few libs - that's why the best I can do is rely on source enforcing good practices and community audits.

j / k navigate · click thread line to collapse