From 11f51261495f20019016150e311630eca023ef20 Mon Sep 17 00:00:00 2001 From: Elena ``of Valhalla'' Grandi Date: Wed, 24 Aug 2016 16:37:53 +0200 Subject: Started writing "subtitles" --- subtitles.rst | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 subtitles.rst diff --git a/subtitles.rst b/subtitles.rst new file mode 100644 index 0000000..98ac76c --- /dev/null +++ b/subtitles.rst @@ -0,0 +1,54 @@ +When I was young, my parents taught me not to accept candy from strangers, +unless they were present and approved of it, because there was a small risk +of very bad things happening. +It was of course a simplicistic rule, but it had to be easy enough to follow +for somebody who wasn't proficient (yet) in the subleties of social +interactions. + +One of the reasons why it worked well was that following it wasn't a big +burden: at home candy was plenty and actual offers were rare: I only +remember missing one piece of candy because of it, and while it may have +been a great one, the ones I could have at home were also good. + +Contrary to candy, offers of gratis software from random strangers are quite +common: from suspicious looking websites to legit and professional looking +ones, to platforms that are explicitely designed to allow developers to +publish their own software with little or no checks. + +Just like candy, there is also a source of trusted software in the Linux +distributions, especially those lead by a community: I mention mostly Debian +because it's the one I know best, but the same principles apply to Fedora +and, to some measure, to most of the other distributions. +Like good parents, distributions can be wrong, and they do leave room for +older children (and proficient users) to make their own choices, but still +provide a safe default. + +Among the unsafe sources there are many different cases and while they do +share some of the risks, they have different targets with different issues; +for brevity the scope of this article is limited to the ones that mostly +concern software developers: language specific package managers and +software distribution platforms like pypi, npm and rubygems etc. + +These platforms are extremely convenient both for the writers of libraries, +who are enabled to publish their work with minor hassles, and for the people +who use such libraries, because they provide an easy way to install and use +an huge amount of code. They are of course also an excellent place for +distributions to find new libraries to package and distribute, and this I +agree is a good thing. + +What I however believe is that getting code from such sources and using it +*without carefully checking it* is even more risky than accepting candy from a +random stranger on the street in an unfamiliar neighborhood. + +The risk aren't trivial: while you probably won't be taken as an hostage for +ransom, your data could be, or your devices and the ones who run your +programs could be used in some criminal act causing at least some monetary +damage both to yourself and to society at large. + +If you're writing code that should be maintained in time there are also +other risks even when no malice is involved, because each package on these +platform has a different policy with regards to updates, their backwards +compatibility and what can be expected in case an old version is found to +have security issues. + + -- cgit v1.2.3