426

submitted 5 months ago by devilish666@lemmy.world to c/programmerhumor@lemmy.ml

56 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] bort@sopuli.xyz 25 points 5 months ago* (last edited 5 months ago)

I’m no security expert and the sensible thing to do is using a library instead of taking a class.

Counterpoint: "not knowing your libraries" + "blind trust in the maintainer" will give you stuff like this: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in

(the thread itself is worth a read. But also very impressive is the list of big players who fell for exactly this mentality)

[-] gears@sh.itjust.works 7 points 5 months ago

Jesus that was one hell of a thread

[-] anguo@lemmy.ca 3 points 5 months ago

I dont want to see the words "low quality tooling" ever again.

[-] unique_hemp@discuss.tchncs.de 4 points 5 months ago

Love the part where he claims that if your users are authenticated, it's not untrusted input. I mean, surely you trust all of your users to run any code on your server, right?

[-] Gabu@lemmy.ml 3 points 5 months ago

Impressive and unsurprising. As soon as you start getting complex libraries with multiple dependencies it becomes nearly impossible to review everything. At one time I had an interest in contributing to some AI libraries, but they're a mess as soon as you go looking for points of improvement.

this post was submitted on 03 Apr 2024

426 points (89.2% liked)

Programmer Humor

31990 readers

62 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

cat_programmer@lemmy.ml