From 441607641f6e412535c033607a1633cabd81abbc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Joann=20M=C3=B5ndresku?= Date: Thu, 22 Sep 2022 21:36:58 +0300 Subject: [PATCH] Clarify my stance on code sharing. --- .../posts/supply-chain-attacks-industry-never-learns.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/content/posts/supply-chain-attacks-industry-never-learns.md b/content/posts/supply-chain-attacks-industry-never-learns.md index 6d2a9c9..868f6d6 100644 --- a/content/posts/supply-chain-attacks-industry-never-learns.md +++ b/content/posts/supply-chain-attacks-industry-never-learns.md @@ -47,6 +47,14 @@ more than just dumb downloaders without any regard to security. Even the simplest sha256 check would improve the situation, if nothing else. The ReactOS Applications Manager is a lot more secure by design compared to all of the afforementioned package managers just by the hash check alone. +## So, don't share code at all? +I never said that. There is nothing wrong with sharing code, but code should still be under scrutiny, be it open or not, it must be +audited before being integrated into a project and re-checked on updates. Personally, my interests align for open source being a net +positive - I share [scripts for projects I do](/ssh-alerts-landchad-style/) and even the [source code for this very website.](https://git.based.quest/?p=web-hugo.git;a=shortlog;h=HEAD) + +If you fork a project using the above advice, please respect the license terms, give credit where due and if feasible, open a pull +request upstream with your improvements. + ## Okay, but how does the industry "never learn"? Simple, the package managers are still growing in popularity, there is no blowback, new developers are still being lead to use NPM, PyPi, Rust crates, public CDN CSS/JavaScript libraries, etc. There is no practice of auditing the code you are pulling at all. -- 2.25.1