Cautionary Tale of "Unpublished" 17 Lines of Code

[jedishrfu]

An interesting article on the connected nature of things on the internet:

http://arstechnica.com/information-...7-lines-of-javascript-and-broke-the-internet/

 

[Borg]

Nice.

 

[QuantumQuest]

It is a sadly case of us developers being mere users and in many cases just bystanders, of what is taking place in our software, due to the logarithmically increased complexity of the systems/components we use and software demands - as a whole, that we have to face. Surely, no one can overlook the advantages of well implemented and tested libraries and components and there are good efforts and will, to overcome such issues. However, what reduces our development time and efforts, can suddenly get a real boomerang towards our heads and the worst thing is that it gradually becomes totally out of our control.

 

[jedishrfu]

It is a sadly case of us developers being mere users and in many cases just bystanders, of what is taking place in our software, due to the logarithmically increased complexity of the systems/components we use and software demands - as a whole, that we have to face. Surely, no one can overlook the advantages of well implemented and tested libraries and components and there are good efforts and will, to overcome such issues. However, what reduces our development time and efforts, can suddenly get a real boomerang towards our heads and the worst thing is that it gradually becomes totally out of our control.

I wouldn't say it's out of your control. Many shops archive third party lobs and their source for just such an event. However in the JavaScript world, it's not uncommon to simply reference the needed library from wherever it's hosted to get the latest and greatest version and in this case it can become a huge problem.

 

[QuantumQuest]

However in the JavaScript world, it's not uncommon to simply reference the needed library from wherever it's hosted to get the latest and greatest version and in this case it can become a huge problem.

Yes, I mainly talk about such cases with web libraries/components and versions. JavaScript has become a real messy thing in its present form of frameworks and because it's usually the case to reference what you need than to include it, things are getting really out of control or messy and upsetting at best. If archiving is an option then surely it's utilized.

 

[jedishrfu]

My favorite book title for javascript:

Javascript: The Good Parts by Orielly Press

https://www.amazon.com/dp/0596517742/?tag=pfamazon01-20

 

[anorlunda]

The risks of dependencies are not limited to open source.

At least part of the risk is dependency on anything that might change in the future. I have often wondered how much security we forgo by not making some systems read-only after deployment.

For example, a Chromebook laptop with all the software and static data burned in ROM, and no mechanism for update or change, and no external links to software like javascript. Even buffer overflows could not overwrite code or static data. That would defeat a lot of future bugs and malware; not all but a lot.

Another example, if Iran had their PLCs as ROM only, would that have defeated the Stuxnet worm?

 

[HallsofIvy]

My favorite book title for javascript:

Javascript: The Good Parts by Orielly Press

https://www.amazon.com/dp/0596517742/?tag=pfamazon01-20

Is that like "JavaScript: the naughty bits"?

 

[jedishrfu]

Is that like "JavaScript: the naughty bits"?

Nah that was book two yet to be published.

 

[DrClaude]

What I don't understand is that the package was published under WTFPL. This means that npm could've left it in their repository.