Comment on [Corp Blog] Are Electron-based desktop applications secure?
tdawg@lemmy.world 1 year agoEh, I think it has more to do with A) inherent complexity and B) the age of the industry. Like a real system is too complex for any one individual to understand. For instance anyone who says they actually understand how memory works hasn’t actually dug a level deeper yet. The real experts all agree no one truly knows we just inherently trust the old research papers about c/cpp (there was a great discussion from some of the Rust guys that I’ll slap in here if I find it again). As for the second point. It’s pretty obvious that there are hundreds of competing standards for everything. And no one agrees yet on the clear winner. So I hear your sentiment but I dont think it’s really that simple
deafboy@lemmy.world 1 year ago
I get your argument, and raise you this.
Imagine a medical doctor after an unsuccessful operation: “It was the scalpel makers fault. He simply does not understand how the metallurgy works”.
Or an airplane disaster investigator saying: “We couldn’t have known this screw, made by a 16 years old furniture designer, could contain a screw-hole validation bug that would manifest itself in our use-case.”
I love the rapid prototyping that’s possible thanks to everyone having an easy access to a computer. It’s what makes the progress happen so incredibly fast.
It’s just… when you sit in front of the terminal in the evening, watching the npm build finish with 53 critical CVEs, when you stop and think for a moment… how the hell are we all still alive?
tdawg@lemmy.world 1 year ago
Well I think the biggest difference there is most software isn’t responsible for the safety of human lives. But even if we want to ignore that aspect and take your example of a doctor. Is a bone doctor responsible for an unforseen throat-nose-ear type issue?
Or to bring it back to the original context. Is a frontend dev responsible for what the backend developer does? Is the network guy responsible for the data they process? Yeah? How far do they have to verify? Do they need to go read the SSL spec and spend an entire year learning the repo that manages the version they use? Do they need to comb through every single RFC since the dawn of the internet? Obviously I’m being a bit if an ass with these examples but it’s important we talk about how far we expect due diligence to go
I completely agree that the industry isnt at an acceptable place with things, but I think calling it unethical/illegal in the average case is a bit of a stretch. Maybe you’re in that there are some obvious cases we could solve for today though (dependency scanners do exist after all)