I try to minimise the impact of security vulnerabilities, but it just seems painstaking to look through a ton of code. Is there processes that people/companies follow that decrease the time taken to do this?
- what is the license? (Avoiding copyleft headaches)
- do the issues look cared for?
- is there an issue asking “is the project maintained any longer?”
- what business or person is behind the project? What is their motive for creating the project?
- how much of an impact would it be if the project disappeared tomorrow? Could I maintain a fork or rebuild it? Is it core business functionality or a side thing?
- do others at my company use it? Or do they have a different library/etc for solving the problem?
The above plus who is maintaining the code ? Did they put an intern to manage issues and do they understand the issues ? Are pull requests quickly accepted or refuse ?
For example, there's a library we rely on for our product where they put an intern in charge of issues and take 5 months to accept pull requests or fix the bug. This has lead us to develop plugins instead of contributing or maintaining a fork (not to deal with conflicts).
> - what is the license? (Avoiding copyleft headaches)
If your app is server-side, GPL explicitly permits "private use" of GPL code without licensing anything to anyone, as long as you keep it private on your server.
I check if it's on a list of libraries that we're allowed to use in our bank (my employer). Then I learn that the list is a total mess, the people in charge of it have been purged in the latest round of cost-saving-inspired firings and apparently no one was assigned this responsibility after that. Then I just use whatever I want.
Ideally you can use the libraries provided by your linux distribution / vendor, and they can do the heavy lifting and economies of scale can be taken advantage of.
Even if you're not actually running your code on Debian / RHEL / whatever, using libraries that are distributed by those vendors where possible is a good start.
- what is the license? (Avoiding copyleft headaches)
- do the issues look cared for?
- is there an issue asking “is the project maintained any longer?”
- what business or person is behind the project? What is their motive for creating the project?
- how much of an impact would it be if the project disappeared tomorrow? Could I maintain a fork or rebuild it? Is it core business functionality or a side thing?
- do others at my company use it? Or do they have a different library/etc for solving the problem?