So you’re a programmer yourself. That helps me understand where you are coming from. Thanks for clarifying.
As a programmer, you know that you need to depend on the work of others. Otherwise you cant use libraries at all. Of course the libraries are only as good as their own people. But the important part here is that the library doesnt have a makefile for example, which renders your former argument moot. They are often included in huge projects which themselves both have automated and manual reviews.
Somehow I dont believe you have experience in foss programming, at least not in larger projects. Tons of stuff is being done which ensures tons of eyes go over every bit of code, over time. for example in kodi, I have to depend on the upstream people doing their work. they have upstream themselves, etc. All of this is reviewed over and over and over again.
Also, leftpad is a prime example of how you are completely unable to do your thing in a cooperative. you will always get shut down. maybe not immediately but eventually.
My former argument? You might be confusing who you are talking to, since you answered to my first post in this thread.
You also seem to remember leftPad wrong. What happened there was that someone made a tiny library that did nothing but to pad a string. Something so trivial that any programmer should be able to do that within a minute. But still tens of thousands of projects, even large and important libraries, would rather add a whole dependency just to save writing a line of code. In fact, in most dependency management systems it requires more characters to add that dependency than to write that oneliner yourself.
The issue with leftpad was that the maintainer of that “library” was angry for unrelated reasons and pulled all his libraries, which then broke thousands of projects and libraries because leftpad wasn’t available any more.
My point was that everyone just relies on upstream doing their stuff and hardly anyone bothers to check that the code they include is actually doing what it should. And everyone just hopes that someone else already did their job of reviewing upstream, because they can’t be bothered to do it themselves.
A better example though would be Heartbleed. OpenSSL is used in everything. It’s one of the core libraries for modern online communication. Everyone and their grandma used it, most distros, all the cloud providers and so on. Everyone has been making money using the security that OpenSSL provides. Yet OpenSSL was massively underfunded with only one permanent developer who was also underpaid for what he was doing. And apparently nobody thoroughly reviewed the OpenSSL code. Somehow in version 1.0.1 someone made a mistake and added the Heartbleed bug. Stuff like that happens, nobody’s perfect, and if there’s only one person working on this, mistakes are bound to happen.
And then this massive security vulnerability just stayed in there for over two years, allowing anyone to read out whatever’s in the memory of any server using OpenSSL. Because nobody of the billions of people using OpenSSL daily actually reviewed and analysed their code. Because “so many people use OpenSSL, someone surely already reviewed it”.
Or take Log4Shell. That’s a bug that was so trivial it was even documented behaviour. To find this, someone wouldn’t even have had to review the code, just reviewing the documentation of Log4J would have been enough. And still this one was in production code for 8 years. For a library that’s used in almost every Java program.
Nobody reviews upstream.
If upstream makes a mistake, that mistake is in the code. And then everyone just happily consumes what they get.
And upstream is often just a random library thanklessly maintained by some dude in their spare time.
Edit: Just to prove my point: Think of your last big FOSS project that you worked on. Can you list every single dependency and every single transient dependency that your project uses? For each of these dependencies, do you know who maintains it and how many people work on each of these dependencies? Do you know if everyone of these people is qualified and trustworthy enough to put reliable and secure code in your project? Or do you, like everyone else, just hope that someone else made sure it’s all good?
You talk as though closed-source developers reviewed all the upstream code. The exact same problem exists with closed-source, except there isn’t even the possibility of reviewing all the code if you want to. At worst, the lack of review in FOSS projects is on par with closed-source projects. At best, it’s a much smaller problem .
So you’re a programmer yourself. That helps me understand where you are coming from. Thanks for clarifying.
As a programmer, you know that you need to depend on the work of others. Otherwise you cant use libraries at all. Of course the libraries are only as good as their own people. But the important part here is that the library doesnt have a makefile for example, which renders your former argument moot. They are often included in huge projects which themselves both have automated and manual reviews.
Somehow I dont believe you have experience in foss programming, at least not in larger projects. Tons of stuff is being done which ensures tons of eyes go over every bit of code, over time. for example in kodi, I have to depend on the upstream people doing their work. they have upstream themselves, etc. All of this is reviewed over and over and over again.
Also, leftpad is a prime example of how you are completely unable to do your thing in a cooperative. you will always get shut down. maybe not immediately but eventually.
Thats why foss is the ultimately better system.
My former argument? You might be confusing who you are talking to, since you answered to my first post in this thread.
You also seem to remember leftPad wrong. What happened there was that someone made a tiny library that did nothing but to pad a string. Something so trivial that any programmer should be able to do that within a minute. But still tens of thousands of projects, even large and important libraries, would rather add a whole dependency just to save writing a line of code. In fact, in most dependency management systems it requires more characters to add that dependency than to write that oneliner yourself.
The issue with leftpad was that the maintainer of that “library” was angry for unrelated reasons and pulled all his libraries, which then broke thousands of projects and libraries because leftpad wasn’t available any more.
My point was that everyone just relies on upstream doing their stuff and hardly anyone bothers to check that the code they include is actually doing what it should. And everyone just hopes that someone else already did their job of reviewing upstream, because they can’t be bothered to do it themselves.
A better example though would be Heartbleed. OpenSSL is used in everything. It’s one of the core libraries for modern online communication. Everyone and their grandma used it, most distros, all the cloud providers and so on. Everyone has been making money using the security that OpenSSL provides. Yet OpenSSL was massively underfunded with only one permanent developer who was also underpaid for what he was doing. And apparently nobody thoroughly reviewed the OpenSSL code. Somehow in version 1.0.1 someone made a mistake and added the Heartbleed bug. Stuff like that happens, nobody’s perfect, and if there’s only one person working on this, mistakes are bound to happen.
And then this massive security vulnerability just stayed in there for over two years, allowing anyone to read out whatever’s in the memory of any server using OpenSSL. Because nobody of the billions of people using OpenSSL daily actually reviewed and analysed their code. Because “so many people use OpenSSL, someone surely already reviewed it”.
Or take Log4Shell. That’s a bug that was so trivial it was even documented behaviour. To find this, someone wouldn’t even have had to review the code, just reviewing the documentation of Log4J would have been enough. And still this one was in production code for 8 years. For a library that’s used in almost every Java program.
Nobody reviews upstream.
If upstream makes a mistake, that mistake is in the code. And then everyone just happily consumes what they get.
And upstream is often just a random library thanklessly maintained by some dude in their spare time.
Edit: Just to prove my point: Think of your last big FOSS project that you worked on. Can you list every single dependency and every single transient dependency that your project uses? For each of these dependencies, do you know who maintains it and how many people work on each of these dependencies? Do you know if everyone of these people is qualified and trustworthy enough to put reliable and secure code in your project? Or do you, like everyone else, just hope that someone else made sure it’s all good?
You talk as though closed-source developers reviewed all the upstream code. The exact same problem exists with closed-source, except there isn’t even the possibility of reviewing all the code if you want to. At worst, the lack of review in FOSS projects is on par with closed-source projects. At best, it’s a much smaller problem .