• thesmokingman@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Lander’s take at the end highlights a key gap in their security knowledge: while I might not necessarily read every line in package, I am able to audit every line. Since I am able to audit, I can use tools to do some parsing of every line to identify potential problems (CVE analysis is a thing) and gain some modicum of confidence. I cannot audit a binary without serious effort in via decompilation and similar resource-intensive processes.

    Security is not about preventing everything by knowing everything. It’s about picking the path that gives both reasonable confidence that things will not go wrong and strong confidence that we can improve when things go wrong (because they will go wrong). Lander assumes security is about the former while ignoring the latter.