Risk management anyone?

Posted Oct 3, 2024 21:36 UTC (Thu) by LtWorf (subscriber, #124958)
In reply to: Risk management anyone? by pizza
Parent article: The WordPress mess

Is it vital to check that the original file is still online 5 thousands times per day?

And what if it isn't?

Debian is full of packages whose original websites are gone. Every once in a while someone uses the last .tar.gz from debian to make a fork.

Risk management anyone?

Posted Oct 3, 2024 21:50 UTC (Thu) by SLi (subscriber, #53131) [Link]

It certainly is vital to check it often if your build does fetch it from somewhere external. Now fetching it from somewhere external may not be the right thing to do, but absolutely, a CI should detect if a build breaks, and a cache would only mask this failure. A proper mirror with no unpredictable expiry rules is another matter.

Risk management anyone?

Posted Oct 3, 2024 21:55 UTC (Thu) by pizza (subscriber, #46) [Link] (1 responses)

> Is it vital to check that the original file is still online 5 thousands times per day?

For a single organization? Probably not. But if it's 50000+ different orgs each checking once a day?

> And what if it isn't?

Then you have to determine why, and adjust your system's data source accordingly.

(Note "original file" can easily point at a private/internal mirror or some sort of SW BoM artifact storage. Granted, some ecosystems make this sort of thing ...challenging to set up and transparently utilize)

Risk management anyone?

Posted Oct 4, 2024 8:22 UTC (Fri) by LtWorf (subscriber, #124958) [Link]

In my own experience, it's most usually few organizations spamming, rather than many organizations. Easy to see because overnight the daily downloads might halve or double. And I doubt it's because thousands of organizations all went to use a different library all in the same day.