noncombatant.org
2 votes devtrix — 2 votes, 3 commentsSource

Dependency slurping systems like NPM, CPAN, go get, and so on continue to freak me out. They might potentially be more dangerous than manual dependency management

So to continue down the path of “should we automate it?” and/or “should we monolith it or cleave it?” I think this demonstrates that we have a critical security feature missing from the automation these package managers provide.

The problem is not the number of dependencies, if all dependencies are checked (see distributions repositories). The problem is that installing a software which has not been checked is a huge security hole because people think it’s free but in reality it can download any blob without letting the user know.

Yeah, you’re right. Otherwise we could apply the same logic elsewhere. It would be that someone voting for something “evil” would invalidate democracy.

Blobstrapping, non-free software. Package managers, good.