undefined | Better HN

0 pointsxyzzyz4y ago0 comments

> Should always do a simple diff at minimum to see what changed. That's just part of being a responsible open source user.

Nobody does this, as this is completely unreasonable thing to expect.

0 comments

Arnavion4y ago

The open source user they're referring to is the package creator, not the package installer. The package creator takes responsibility for the software they package. I sure hope they check the diff. I certainly do for the packages I maintain.

pas4y ago

But is that an audit? How much does that worth against a determined and skilled adversary? I mean if they quickly do a lot of big changes they can easily drown packagers/reviewers, and then slipping something through becomes a waiting game.

j / k navigate · click thread line to collapse

0 pointsxyzzyz4y ago0 comments

> Should always do a simple diff at minimum to see what changed. That's just part of being a responsible open source user.

Nobody does this, as this is completely unreasonable thing to expect.

0 comments

Arnavion4y ago

pas4y ago

j / k navigate · click thread line to collapse