Would you drive on bridges or ride in elevators "inspected" by anons? Why are our standards for digital infrastructure and software "engineering" so low?
replyI don't blame the anons but the people blindly pulling in anon dependencies. The anons don't owe us anything.
A business or government can (should) separately package, review, and audit code without involving upstream developers or maintainers at all.
replyThis option is available already in the form of closed-source proprietary software.
replyIf someone wants a package manager where all projects mandate verifiable ID that's fine, but I don't see that getting many contributors. And I also don't see that stopping people using fraudulent IDs.
Do you know who inspected a bridge before you drive over it?
reply