|
|
Subscribe / Log in / New account

Every package you install increases your risk

Every package you install increases your risk

Posted Aug 14, 2022 15:22 UTC (Sun) by Wol (subscriber, #4433)
In reply to: Every package you install increases your risk by petiepooo
Parent article: Adding auditing to pip

Not that I use python (other than stuff that is auto-installed and required by my distro like "emerge"), but I think you are incredibly naive ...

> If you wish to audit a production environment, duplicate it in a lab and run your audit there. You already have a lab that duplicates your production environment, right?

WHAT production environment? WHO is paying for the lab?

I know there are a lot of people who are paid to write this stuff, but there are a lot of people who USE it in a *personal* capacity, and there are a lot of people who *write* it in a personal capacity.

If I'm writing/maintaining this stuff, I would love that sort of functionality. I have ONE powerful workstation / home-server, and I don't have the time, or money, to faff about trying to sort out a duplicate.

One *massive* advantage of this tool is that it would enable - in short order - popular packages to eliminate dependencies on abandoned packages. By reducing the amount of work needed to identify them, and massively increasing their visibility. A lot of the time people don't care because caring costs too much. Reduce that cost, and suddenly people will see the effort as worth while.

Cheers,
Wol

to post comments

Every package you install increases your risk

Posted Aug 14, 2022 16:13 UTC (Sun) by amacater (subscriber, #790) [Link] (1 responses)

if you really want to be relatively sure you can set up two VMs and run A/B testing on the same machine. If you update one, you can check that nothing breaks, that your code still runs, that your dependencies still seem clear - that's at the cost of some diskspace and a couple of hours work?

Every package you install increases your risk

Posted Aug 14, 2022 16:30 UTC (Sun) by Wol (subscriber, #4433) [Link]

Yup. I could just about do this now - certainly whenever I update my system now, I take an lvm snapshot so I can easily revert.

But my previous system it would have been a lot harder. My current system is still not quite how I want it - for personal reasons it's hard to find time - but the old system didn't really have the disk space or ability to run VMs or anything and I didn't have the knowledge ... I'm still learning :-)

But it's the assumption that the people who want and could make use of this tool are the same as the people who have all that tooling and resources that gets me - I know your "lone coder" is now much less of a reality than they were, but those people don't necessarily have those resources, and even me, I'm not officially a coder even though in practice I'm turning into a VBA guru (yuck! :-), and if I want those resources I have to pay for them out of my own cash. Unless you live in the West, how many people can afford that?

Cheers,
Wol


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds