Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The open-source ecosystem's strength is also its weakness. Relying solely on community vigilance isn't cutting it anymore.


Exactly. Linus’s Law — “given enough eyeballs, all bugs are shallow” — falls apart when everyone assumes someone else is doing the watching. In reality, most packages (and especially their transitive dependencies) get zero meaningful review. Attackers know this and exploit it. Community vigilance just doesn’t scale — we need better tools to actually inspect what code is doing.


I agree with you. To be fair though, the concept likely seemed more reasonable in 1999. Hardware, browsers, and websites (and their front- and back-end services) were all less complex back then. Also less bloat. Not that things were more secure, but a popular tool may have had more meaningful review.

At times, complexity is worth the trade-offs. Modern C++ compilers are more complex than ones in the 80s and 90s, but the assembly code they generate runs much faster. Rust is complex but provides massive security benefits while maintaining great performance.

At times though, stuff is just bloated or poorly designed.

But it's not always clear how to intelligently design a project. If you add too many features to a single large project, it becomes unwieldy to maintain that large project, and the harder it is to audit this critical piece of infrastructure. Yet, if you don't add enough features, people will use packages from random devs, risking their own security, while harming the maintainability of their own project.

I don't know how we solve that problem. Alternatively, you could ask devs to reinvent the wheel and write a lot more code on their own (which they probably won't, either because they don't want to, or because the employer requires a solution on too short of a timeline to do so), but that could also jeopardize security. Many if not most web devs have to deal with authentication and encryption, both of which (the overwhelming majority) very much should not do on their own. Good luck asking a junior dev to correctly implement AES-256 encryption (or something equivalent or better) on their own without using existing libraries.

The answer is almost certainly some kind of mix, but it's not clear what exactly that should look like.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: