Trust Google? The evil lords of shutting down applications? Not in a million years.
Worried about the security of your code's dependencies? Try Google's Deps.dev
In early 2002, then Microsoft chairman Bill Gates issued his Trustworthy Computing memo to ensure that computing "is as available, reliable and secure as electricity, water services and telephony." Two decades later, utilities and public infrastructure in the US are generally available but could be more reliable and more …
COMMENTS
-
-
-
Thursday 13th April 2023 19:54 GMT VonGell
Google goes down, Brin-Page-Schmidt are other:
That “shows what real competition will do,” Dintzer told Judge Amit Mehta. “What has been going on for the past 12 years is Google has been maintaining its monopoly. Would we have seen ChatGPT six years earlier? Would we see five other competitors competing for search? Those are questions none of us can answer.”
https://finance.yahoo.com/news/google-monopoly-delayed-innovations-chatgpt-174519410.html
-
-
-
-
Thursday 13th April 2023 13:08 GMT FrogsAndChips
Re: Until next time
Why not use it now while you review your dependencies and remove the unnecessary ones? Like it or not, software development nowadays relies *a lot* on external librairies and components, and it could take an awful lot of time to replace all your codebase with in-house versions, which may or may not be more secure than the original ones. At least there are some tools to identify known vulns, as opposed to those present in your code that no one knows about - apart from the bad guys.
-
Thursday 13th April 2023 14:50 GMT Anonymous Coward
Re: Until next time
If a developer came to me and said that they had used this [cough][cough] feature on code that was even an alpha release of something that would clearly make it into production, I might have to think that they were an idiot and did not want their job to last beyond the end of the day.
Trusting Google with even giving you the time of day without slurping something that could later be used against you is IMHO madness.
Some websites are dependency hell. Layer after layer after layer that the chances are... all phoning home.
Developers have got effing lazy. No site with more than one level of dependency can be regarded as even half secure.
The sites that I run have ZERO dependencies on libraries from Boris or Mao or whoever. I might used them in sandboxes but after that, it is all homegrown.
-
Thursday 13th April 2023 16:29 GMT Michael Wojcik
Re: Until next time
Perhaps because there are many alternatives, so why expose yourself to Google's miniscule attention span?
Frankly, if you're not already tracking at least some of this information – like all of your dependencies, their provenance, their versions, their licenses – already in-house, you have a big problem that Yet Another Google Toy will not solve.
-
-
Saturday 15th April 2023 06:33 GMT -v(o.o)v-
Re: Until next time
I would argue that the much bigger problem these days are developers (oh sorry "DevOps") playing systems administrators with Docker and willy-nilly pulling in images done by who-knows-what without any constraints and considering all that smoldering mess fire-and-forget, never bothering to update anything - or indeed even understanding that they need to be updated.
The amount of images pulled in from random individuals is frankly frightening and a disaster waiting to happen. And even in the rare case they do update there's no guarantees that Jimbo in Lower Elbonistan bothers to keep their image updated.
Of course all of it is done with minimal understanding of anything, and why would understanding be necessary: just check from the README what few configuration parameters are needed to make it work and off to production it goes.
(Insert xkcd here about gluing stuff together)
I ran trivy once and there were thousands and thousands of high+ vulns in just one machine...
-
-
-
-
Thursday 13th April 2023 23:02 GMT sten2012
This is a great idea. Not convinced many of the data points mentioned can't already be gathered via snyk... It just needs a neutral party to run it, not Google (who would be great to see contribute with their genuinely skilled engineers). And ideally a nonprofit.
The idea of "had it been code reviewed" is new but seems questionable. Could be incredibly handy:
By who?
Can you tag suppliers you trust/fund to review your own dependencies?
Can it be be crowdsourced to look at specific projects/code?
Can it be integrated with funding the projects maintenance itself?
Can risky uses of libraries that aren't underlying vulnerabilities be flagged for people reviewing your own code?
I share the concerns of Google running this. But the idea isn't an inherently bad one.
Edit: in answer to my queries no all around. It's question of how the project themselves review pull requests. Not my hopes and utopian dreams of, say, the Truecrypt reviews people pulled together for