|
From Microsoft - sure, until i get hacked because someone made a similar looking Microsoft looking name profile and not taken down by the repository
and number of download. 10k+ downloads, go for it.
2 downloads, uhm, do i really want this or have I asked the wrong question for what I need doing?
|
|
|
|
|
I'll use them, but I want some assurances that
a. The package is considered trustworthy
b. The package adds functionality that would have taken weeks or months for us to build
c. That the license is compatible with our products license.
I have to admit, I get a little annoy at some of my colleagues if they download a package to do a task which would have taken only a couple of hours for us to build. Part of the reason is:
1. We've now got a dependency on something that may or may not be supported into the future
2. It's naming conventions may not line up with the rest of the project.
3. If a bug is found, yes we can potentially fix it, but we may also be tearing our hair out / watch the bug get re-introduced in the next version of that package.
Of course there are some which saves us literally weeks if not months of work, not to mention the handling of edge cases which often gets missed inside roll your own code. So for complex tasks, yes I like package repos.
|
|
|
|
|
I can recommend OWASP Dependency-Check to check packages and libraries, see: devops-security-tools[^]
It's free and open-source.
|
|
|
|
|
You might want to post it in: Free Tools Discussion Boards[^]
The message there won't disappear after a week
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
But do you trust the trust-checker package?
Cheers,
Vikram.
|
|
|
|
|
|
|
I just feel like I don't have the time, will or knowledge to properly assess their safety
But also don't want to write my damn JSON reader class
|
|
|
|
|
I don't use them AND no, I don't trust them. Not that I could, since 9 times out of 10 the libraries used in my projects need to be certified for safety and security by several entities.
If I'd ever get a package from whoknowswhere and whoknowswho I think management would have a collective stroke. Uhmmm that got me an idea, hold on, brb.
GCS d--(d-) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Same here. I don't use them partly because I don't trust them. And the likelihood of getting some third-party package approved any time soon is near zero anyway.
I have always preferred rolling my own and my current boss is OK with that.
Oh, that reminds me... there is the further problem that there are two teams who need to approve third-party packages -- desktop and server -- and you can't get them to agree on which version to approve.
|
|
|
|