aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--subtitles.rst54
1 files changed, 54 insertions, 0 deletions
diff --git a/subtitles.rst b/subtitles.rst
new file mode 100644
index 0000000..98ac76c
--- /dev/null
+++ b/subtitles.rst
@@ -0,0 +1,54 @@
+When I was young, my parents taught me not to accept candy from strangers,
+unless they were present and approved of it, because there was a small risk
+of very bad things happening.
+It was of course a simplicistic rule, but it had to be easy enough to follow
+for somebody who wasn't proficient (yet) in the subleties of social
+interactions.
+
+One of the reasons why it worked well was that following it wasn't a big
+burden: at home candy was plenty and actual offers were rare: I only
+remember missing one piece of candy because of it, and while it may have
+been a great one, the ones I could have at home were also good.
+
+Contrary to candy, offers of gratis software from random strangers are quite
+common: from suspicious looking websites to legit and professional looking
+ones, to platforms that are explicitely designed to allow developers to
+publish their own software with little or no checks.
+
+Just like candy, there is also a source of trusted software in the Linux
+distributions, especially those lead by a community: I mention mostly Debian
+because it's the one I know best, but the same principles apply to Fedora
+and, to some measure, to most of the other distributions.
+Like good parents, distributions can be wrong, and they do leave room for
+older children (and proficient users) to make their own choices, but still
+provide a safe default.
+
+Among the unsafe sources there are many different cases and while they do
+share some of the risks, they have different targets with different issues;
+for brevity the scope of this article is limited to the ones that mostly
+concern software developers: language specific package managers and
+software distribution platforms like pypi, npm and rubygems etc.
+
+These platforms are extremely convenient both for the writers of libraries,
+who are enabled to publish their work with minor hassles, and for the people
+who use such libraries, because they provide an easy way to install and use
+an huge amount of code. They are of course also an excellent place for
+distributions to find new libraries to package and distribute, and this I
+agree is a good thing.
+
+What I however believe is that getting code from such sources and using it
+*without carefully checking it* is even more risky than accepting candy from a
+random stranger on the street in an unfamiliar neighborhood.
+
+The risk aren't trivial: while you probably won't be taken as an hostage for
+ransom, your data could be, or your devices and the ones who run your
+programs could be used in some criminal act causing at least some monetary
+damage both to yourself and to society at large.
+
+If you're writing code that should be maintained in time there are also
+other risks even when no malice is involved, because each package on these
+platform has a different policy with regards to updates, their backwards
+compatibility and what can be expected in case an old version is found to
+have security issues.
+
+