Conversation

Notices

1. Lyude🌹#BLM (lyude@queer.party)'s status on Thursday, 12-Jan-2023 03:24:15 JST Lyude🌹#BLM

   Say it with me now
   "Open source projects are not supply chains"
   "Open source projects are not supply chains"
   "Open source projects are not supply chains"
   "Open source projects are not supply chains"

   • Adrian Cochrane repeated this.
   • Adrian Cochrane (alcinnz@floss.social)'s status on Thursday, 12-Jan-2023 04:03:53 JST Adrian Cochrane

     in reply to

     • Sobex

     @Sobex @Lyude Run unittests everytime you upgrade a dependency? With FOSS projects you could just grab their's!

     I'd also advocate to audit the code every upgrade, but its difficult enough to convince businesses to audit the code once. And everyone (except apparantly me!) have to draw a line at how much code we audit.

     But yes, $s are more than welcome!

   • sobex@social.sciences.re's status on Thursday, 12-Jan-2023 04:04:06 JST Sobex

     in reply to

     @Lyude What is this supposed to mean?
     Imho, from the point of view of "supply chain attacks", using an open source or a closed source dependency can still expose to the same issues (how do you ensure a release is legitimate, that no one inserted malicious code in your download (source or binary)?)

     More importantly, if your business relies on open source project dependencies, you should probably invest some money to ensure those projects are well maintained. (Give $ to open source devs !!!).

   • Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 12-Jan-2023 04:05:50 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @Lyude Or you know:
     
     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND[…]