Something's missing in the Top 10s
I note that in none of the top 10 most used modules listed is there anything to help with input sanitizing and checking.
That goes some way to explain the horrendous fiascos we've witnessed in the past few years.
With modern applications now composed of 80 to 90 per cent Free and Open Source Software (FOSS), the Linux Foundation and Laboratory for Innovation Science at Harvard University (LISH) on Wednesday published their second open-source census to promote better security and code management practices. The first such report appeared …
This is a result of the methodology. There are already services, such as <a href="https://libraries.io/>Libraries.io</a> that will calculate library dependencies and watch them for security updates and you can only sensibly do this on a component/application basis.
As if some shared library could sanitise input as well as my half arsed routines.
Next you'll be suggesting I use encryption libraries that Governments recommend rather than the cunning things I have devised. Just try decrypting my 103-pass modified Caeser cipher...
Tbbq yhpx jvgu gung
Consider the cited limited scope of sources (!): "contribution of private usage data by Software Composition Analysis (SCAs)" (see Methods in that PDF)
Past the headline generating claims, their Conclusion starts with "We understand that these findings are not comprehensive, but with the usage data provided, we hoped to ..." So they know they are peeking through a keyhole.
Probably the only interesting bit of the report is in their subsection "Lessons Learned : The Persistence of Legacy Software in the Open Source Space", where they discover people continue to use old code, through a combination of code copying and cargo-culting. Well gee...
Not sure if anyone else gripes about this but I really hate when:
You have a sort of professional company name and this goes fro Linux or windows:
You run setup or install and the path is
program folder name"Often times the name of the company then the next sub folder is
something so childish like \fuzzybear or some other weird name that appears to come out of
some fantasy or sci fi world.
STOP IT! JUST STOP IT! NOW!
I understand where you are coming from for Windows but on Linux this does not really happen. Everything ends up in a simple set of well known paths /bin or /usr/bin or /usr/lol/bin (soz) /usr/local/bin unless its ./sbin or perhaps some of those are symlinks. Now where's my config? /etc or /opt/lol/etc/config/tiddlywinks. Now go and find the logs. Oh the /srv and /var/lib thing and old uncle Tom Cobbley and all (and all)
OK, I'm taking the piss and actually it is surprisingly easy to find stuff on a Linux box once you work out the logic and the same usually applies on Windows too, especially once you find c:\programdata\ and the nether regions of your user home directory. Again the Linux equivalent needs a bloody great map (hello ~/.local) or some good grep and find skills to get around. At least you get those out of the box.
The OP does have a point when it comes to COTS software. e.g. IBM software tends to install itself under
/opt/IBMsometimes with other additional paths for all software from a particular marketing brand, e.g.
/opt/IBM/RationalHowever, you can change this if you want by either using a non-silent install so you get prompted for installation paths, or use a response file with the appropriate installation path entries.
Programs on *nix used to store their (user) config files and data in a central and fairly predictable place ie in a single "hidden" directory/file in the users home directory. Nowadays they are split over $HOME/.config
and maybe something in $HOME/ for good measure.
Biting the hand that feeds IT © 1998–2020