This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2016-09-11
Channels
- # bangalore-clj (1)
- # beginners (24)
- # boot (134)
- # boulder-clojurians (2)
- # cider (3)
- # cljs-dev (2)
- # cljsjs (44)
- # clojars (9)
- # clojure (60)
- # clojure-greece (2)
- # clojure-quebec (1)
- # clojure-russia (44)
- # clojure-spec (15)
- # clojure-uk (1)
- # clojurescript (37)
- # core-matrix (1)
- # datomic (7)
- # emacs (1)
- # hoplon (154)
- # liberator (3)
- # mount (2)
- # om (20)
- # onyx (2)
- # pedestal (3)
- # planck (12)
- # re-frame (26)
- # reagent (32)
- # uncomplicate (4)
seems to me that the fundamental problem is that our customers trust us with their data, and we implicitly trust the dependencies we use not to do anything bad
There’s a few trust issues I think: 1. How do we verify that JARs we download from an untrusted source like Clojars haven’t been tampered with? 2. How do we verify that dependencies don’t do anything bad? 2. Seems to come down to auditing JAR updates before updating deps, I’m not sure how else you can verify that a dependency isn’t doing anything bad. 1. seems a little more tractable, by defining a mechanism for trusting a developer and therefore trusting their releases