Reply to post: Re: Not a bad idea, but Not the real problem

Open source, closed wallets, big profits – nobody wins the OSS rock, paper, scissors game

Anonymous Coward
Anonymous Coward

Re: Not a bad idea, but Not the real problem

> But the real problem is not keeping code actively maintained, it's reviewing old code to identify problems that need to be corrected. Developers, in general, want to look forward, not backward, and the result is that problems are found after they are being exploited as attack vectors or, worse, break the internet.

Open Source is a system based on trust: as with many other things, it was created at a time when black-hat hacking wasn't really a thing; it was certainly long before the exponential growth in processing and networking capabilities made it ever easier to perform bulk attacks.

And for all that the "open" aspect of open source has a number of benefits, these very much rely on people having the time and motivation to actually review the code.

Sadly, there's far less money floating around for white-hat reviewers who want to fix things, as compared to black-hat hackers looking for exploits they can monetise.

So what we've ended up with is people building stuff atop vast mountains of libraries, with dozens of layers of dependencies and abstrations.

For instance, we use node for our JS libraries, and the node_modules directory contains over 170mb of libraries and associated code/data.

Practically, there isn't a way for any individual company to review all that code - or any changes made to it over time. And while you can do things like version locking, that carries it's own issues.

And there's further edge cases, beyond that.

For instance, we had someone working for us, who built a module to parse some stuff, and decided to publish it as a open-source module.

Which is well and good, but since they've left the company.

I'm not expecting this person to try and haxxor the gibson, or anything similar. But as a general principle, the idea of automatically pulling in third party code produced by someone with insider knowledge definitely makes me nervous...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon