Rich Felker
Policy I wish software maintainers would follow regarding dependencies:
- If the dependency is external interface surface (certificate policy, network protocols that might add extensions the user will need to communicate, interchange file formats, etc.) honor the system one.
- If the dependency is completely internal and computational, fully vendor it. Check in the known-good copy to your own repo.
aburka 🫣
@dalias would that it were always simple to determine the difference...
cliffle
@dalias While I think you've got a point here, the main caveat I'd offer is around security vulnerabilities. I keep finding "no dependency" programs (which in practice means they vendored, or just copy-pastad, some code) with out-of-date and vulnerable versions of things.
If every program did this, the process of stamping out those vulns would be very involved.
Rich Felker
@cliffle In order to be vulnerable it has to have some interface surface with malicious data, which usually means it's not entirely internal. In some rare cases, this does happen where the interface surface is just race conditions or something that can be exploited without an explicit interface surface. But usually it means we're in the case where it's between the extremes of purly internal and external interface surface.
cliffle
@dalias fair. Sometimes it can be difficult to predict which interfaces wind up being external, of course. For instance, if one component can be tricked into skipping a validation layer and handing a block of code to a more internal component, any issues in that internal component could be accessible.
Really though, what we're getting at is that distinguishing internal from external can be hard and takes a judgement call.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.