Conversation
Notices
-
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 08-Feb-2018 05:53:45 UTC Hallå Kitteh @ajordan @gargron @feld oh cool, will have a look. -
Eugen 🎄 (gargron@mastodon.social)'s status on Tuesday, 06-Feb-2018 01:18:57 UTC Eugen 🎄 wtf techcrunch https://mastodon.social/media/pcpIWTnFuk5Ghv9hUhU
Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 06-Feb-2018 01:38:17 UTC Hallå Kitteh > Increasing reliance on open-source frameworks like React means engineering and security teams can’t just worry about their company’s own code. It has to mingle with changes to open-source projects that can cause unforeseen trouble. It’s like if the ingredients in one of your prescription drugs subtly changed, so your preferred over-the-counter pills suddenly caused a dangerous interaction.
https://techcrunch.com/2018/02/05/mixpanel-passwords/
Ugh. Is this writer aware that you can rely on Other People's Code without even having the freedom to view and change the source code? How is that better? Then you probably won't even discover an issue like this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 06-Feb-2018 02:07:43 UTC Hallå Kitteh @feld @gargron So, you have the choice of auto-updating and violently breaking your thing even when there's no problem, or pinning and silently staying broken when there's a security update. :-) -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 06-Feb-2018 07:11:10 UTC Hallå Kitteh @vertigo @gargron @pasqui023 No, the issue with the blurb is that it implies that this is a problem with free software, rather than a general problem of our systems being so complex that we cannot build them ourselves and need to rely on other people's code.
"build or buy" exists without free software, and choosing how much effort to spend on understanding "bought" (for money or not) code is always a balancing act. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 06-Feb-2018 07:16:43 UTC Hallå Kitteh @ajordan @gargron @feld Yeah, semver intends to tell you what contracts you have with your dependencies.
But even elm, which enforces that API signatures don't change without bumping versions, cannot enforce that semantics don't change underneath the API signatures.
Short of perfect formal verification, there is no technological solution, because this is a human problem. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 06-Feb-2018 07:19:05 UTC Hallå Kitteh @vertigo @gargron @pasqui023 Perhaps. But can we agree that you can strike every "open source" from the blurb and it will remain just as true? That means that phrase is unnecessary and points fingers in the wrong direction. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 08-Feb-2018 05:35:06 UTC Hallå Kitteh @ajordan @gargron @feld Thank you, and I agree.
I think semver is a good idea and I like it. But even with semver we need lockfiles. But then with lockfiles we need to not fire-and-forget but keep up to date on things.
Belts and braces, people. Goes along with the gum and paper clips we built this stuff on. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 08-Feb-2018 05:45:30 UTC Hallå Kitteh @ajordan @feld @gargron
One thing that I want to see more of in the future is what e.g. #rust is doing:
Find the things that depend on your thing -- in their case every single crate published -- and treat them all as integration tests for your API.
#nix and #guix make this easier. I just discovered the brilliant #nox tool, where you can do `nox-review wip` on e.g. a bumped dependency and build and test every dependee.
Imagine if every project did this before releasing their point release! (and at the same time imagine that the dependees have decent tests, of course, otherwise you're just detecting whether you broke API signatures, and that's trivial to do without looking at any code except your own) -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Thursday, 08-Feb-2018 05:55:09 UTC Hallå Kitteh @ajordan Umm why are all the builds red
https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/
:-D
-