Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The lesson is that code peer review is essential for every piece of code, including dependencies and every update. The crev folks have a potential solution to that:

https://github.com/crev-dev/



I don't believe that outsider review scales. The amount of energy it takes to review unfamiliar code vastly exceeds the amount of energy it takes to hide something malicious, and a chain is only as strong as its weakest link.

Ongoing review by project committers — highly invested insiders, familiar with the codebase — is more realistic, at least in terms of actually detecting problematic code.

I was disappointed when I learned that crev's scope includes code quality, a highly subjective and inflammatory subject. I can't see how crev avoids becoming a poo-flinging venue. It seems to me as though competing initiatives which limit the focus to verifying publisher identity hold more promise.


It likely very much depends on which reviewers you get, for eg Google Zero folks are probably good at code review. I think crev probably handles that through trust scores for reviewers.


The lesson is never auto-update, i.e. pin versions all the way down, like the old days when everything was compiled in.


That doesn't solve anything, since the version you have could have the issue and you wouldn't know it if you hadn't audited it.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: