Hasty Briefsbeta

Bilingual

Dependencies should be fetched directly from VCS

6 hours ago
  • #dependency-management
  • #security-auditing
  • #package-managers
  • Go's dependency management uses URLs to fetch directly from VCS, enhancing security by avoiding a separate package publishing step.
  • Ruby and other package managers (like npm) rely on published packages (.gem, .tar.gz), which are harder to audit due to lack of commit history and potential for tampering.
  • Auditing Go dependencies is easier: review commit logs via git, while auditing RubyGems requires downloading and diffing package files, a more cumbersome process.
  • Recent security incidents (e.g., npm compromises, xz exploit) often involve injecting malicious code during the package publishing step, not the source repo.
  • The author suggests modifying Ruby's Bundler to enforce fetching dependencies directly from git to improve transparency and auditing, mimicking Go's approach.