|
For bussiness (I'm hired) I just let the boss decide, and have learnt the hard way that GPL isn't.
For my personal software (like the hostfile guard) I check everything and try to avoid dependencies as per Joel Spolky's advice.
Bastard Programmer from Hell
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
We have lives on our hands. Every single piece of code, be it ours or third party, must be stored in the repository in the same exact configuration it is used, it has to be thoroughly documented with regards to safety requirements and risk analysis.
Most of the open source code is not validated against any international standard so we'd have to do it in house - this means we either build our own or buy certified components.
GCS/GE d--(d) s-/+ a C+++ U+++ P-- L+@ E-- W+++ N+ o+ K- w+++ O? M-- V? PS+ PE Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
+1 on that (most of my work life)
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
I've got Ubuntu, along with gcc and other things for compiling C++. When I update them, I don't do due diligence. But are they libraries? I'd say no, and they're so reputable that due diligence isn't a concern, so I just said that I don't use open-source libraries.
|
|
|
|
|
I don't get to choose, I get told.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
|
|
|
|
|
If the download count is high and there aren't any reported malware problems, I download it and just use it.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
Sorry, but that remembers me to 'third wave'
|
|
|
|
|
over 10 million download count, that just default project add, and each time another dev uses reference, it another download count.
Now 10 downloads, well clearly 10 other people know this a good library.
1 download. author testing own work.
0 download, "first"
|
|
|
|
|
Log4j?
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Our Legal department mandates that all licenses (for both open- and closed-source code) be reviewed by them, in order to avoid later "gotchas". This applies to any & all dependencies as well.
Reviews of the actual functionality are our responsibility. We then make a local clone of the project and all its dependencies, and use that in our code. That way, we control if/when to upgrade to a new version.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
I can sink two companies over that issue.
Companies usually don't take them (GPL) licenses seriously; and spend lots of money to prevent someone using "their" code.
Bastard Programmer from Hell
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
check to see if anything has thick gooey ectoplasm streaming from some hole over which a dead branch of stump root has recognizable authors names ensigilled in elfin script. I know what codified incantation looks like because I've spent many hours spelunking the grounds where stand menhir, walking the inroads where rise up the stupa, and tread, practically paralyzed bogged down in the sudden mire of an innocent-looking-enough barrow, swamps wherein slither both tremendous and dread serpents, all in faroff fantasy lands where it's usually reputed that the ghosts of my ancestors rale and then listen to themselves criticize their own shabby cardio-pulmonary condition, ultimately irritating the current inhabitants with their wails. Meaning those residing head west for relief, if not questing to return with a cure.
|
|
|
|
|
Your code reviews must be intense.
cheers
Chris Maunder
|
|
|
|
|
Yes, without any reason, my body revolves and sometimes, I think my left arm at the shoulder is degloving ...
|
|
|
|
|
|
+5 for the language.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
The company I am contracting to have made a major investment into Azure DevOps. As part of the they have used both SonarQube and Whitesource, and settling on Whitesource as part of its CI/CD process. In addition to doing the dependency scan as part of the build process, it then continues to track those dependencies. That way if a vulnerability is found later in the existing dependencies, it can report on that as well.
I have no affiliation with Whitesource, just commenting on what I find useful....
I want to incorporate something similar to this in my own AzDo repositories and CI/CD, priced at the level an independent developer can afford (free or nearly so).
|
|
|
|
|
I can recommend OWASP Dependency-Check.
modified 11-Nov-22 12:54pm.
|
|
|
|
|
Anything that can un-obscure the spiderweb of dependencies is a good idea.
I think the worst example of unnecessary dependencies I've seen was an ad (yes, banner ad) that pulled in Angular to display the image. My brain slipped a cog at that one.
cheers
Chris Maunder
|
|
|
|
|
Chris Maunder wrote: I've seen was an ad (yes, banner ad) that pulled in Angular to display the image
What? Should have used react.
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[ ^]
|
|
|
|