|
How much time/money is lost in that rigorous testing and analysis?
|
|
|
|
|
How much are you willing to loose in time/money if you do not do rigorous testing and analysis.
CI/CD = Continuous Impediment/Continuous Despair
|
|
|
|
|
You need rigorous testing for any project, whether it contains open source components or not.
|
|
|
|
|
Of course you test your project. But in the case of VS, if I code using VS components, I assume that I do not have to test the components' code that I am using.
Open source adds another layer of unknown code into an application, thus requiring double, triple, or however many pieces of open source code you are using; and this adds more rigorous testing on top of your project. I don't need that headache, especially in a RAD development project. Using VS is like building a car from a kit. Using open source (and I will add java in here simply because of the language itself) is like having to make the parts for the kit.
People l-o-o-o-v-e that "free" stuff.
|
|
|
|
|
Member 14840496 wrote: I assume that I do not have to test the components' code But you still need to test your usage of them. No different to using open source.
|
|
|
|
|
Usage yes. But open source, comes from who knows, and can contain who knows what in the source. Some open source allows downloading the source. Why? So you can validate what's in it. I don't need to validate VS as to what's in it and I've been using it since 2001. So that's over 20 years.
Again, I don't have to rigorously test a VS textbox. But you can bet if I downloaded an open source textbox, I would not feel comfortable unless I rigorously tested the textbox code. That's double work, and it's not a RAD development environment.
|
|
|
|
|
Quote: But open source, comes from who knows, and can contain who knows what in the source.
But isn't that avoided by using only well-known open source projects. For example, I use Apache, MariaDB, PHP, and iText7. I doubt they have more security issues than anything by Microsoft. Of course, using LeeT2000's fork of any of those would be reckless.
|
|
|
|
|
Of course there are long time, well known items like iText7. But I am going by the original CodeProject topic today stating that there is a lot of time/money needed to secure open source.
I use javaScript in web apps. It's open source, but it's been around for years and comes from a single source. Plus, it's a language, not a tool/component. Apache has been around for years as well. And PHP, well let's just say it has a beard.
There's a lot of stuff out there, as you pointed out. The creators make it sound good, but just who are they? Too many people see free and drool at downloading it.
|
|
|
|
|
Member 14840496 wrote: Open source adds another layer of unknown code into an application
...and closed source is "better known"?
Or are you saying you bury your head in the same and assume commercial, paid-for, closed source is inherently secure and you don't have to test it?
|
|
|
|
|
Ummmm...yeah.
VS has been around for over 20 years.
Sure, there are some open source that has been around for several years, like iText, Apache, etc. But there are tons of freeware out there that I would never touch, especially in an enterprise environment.
|
|
|
|
|
Member 14840496 wrote: VS has been around for over 20 years.
...and every new version introduces a new set of bugs. It's a running joke around here at least on CP.
So what are you trying to say here?
|
|
|
|
|
Slacker007 wrote: If you find open source code that fits your needs and through rigorous testing and analysis you have determined that it will work fine in Production, then I do not see the big deal.
Until you have to go through that entire process again when a component is updated. Then it becomes a big deal to the C-Suite folks.
The flaw in open source is that no one, and I mean no one, has a good dependency map of the open source in their systems. This translates into a component multiple layers down being updated for a security flaw and the users of that component don't even know it's in their systems. This is why the Log4J bugs are so insidious.
|
|
|
|
|
Agreed. To make sure we are bullet proof, we only use Microsoft products. They have never been compromised.
>64
Some days the dragon wins. Suck it up.
|
|
|
|
|
Lots of systems get compromised. But that seems to be an almost unpreventable EXTERNAL cause.
You are confusing external code contamination with purposeful internal injected code that YOU put into your system.
YOU is not the same as THEM. So in essence, doubling odds. Instead of being inadvertently attacked from an external source, YOU actually downloaded the attack yourself.
|
|
|
|
|
Contest was terminated at Eastern Standard Time and corrupted by ulterior man in the middle. (12)
|
|
|
|
|
Intermediate ?
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
Nope,
But your answer tells me you chose the correct definition. Look closely for the clue indicators. No trickery, the clue is very well formed, although the answer is an uncommon word. Might need to grab the unabridged dictionary.
|
|
|
|
|
interlocutor (anagram of contest + ulterior)
|
|
|
|
|
Good job, you solved it.
Contest was terminated at Eastern Standard Time and corrupted by ulterior man in the middle. (12)
Contest was terminated at Eastern Standard Time = ContEST
and corrupted by = anagram indication
ulterior = anagram letter pool
man in the middle = interlocutor
INTERLOCUTOR[^]
|
|
|
|
|
Had a job back in the day working on Tandem machines. We had a contractor who came from Quebec and English was his second language but he knew the operating system and machine better than the rest of us. I guess he was translating from French but the guy actually used this word in documentation. We all thought he was a pretentious biblical donkey.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
|
|
|
|
|
Yeah,
He probably used a translator to produce the text. The Latin family of languages use this word much more frequently. Searching for "interlocuteur" gives me over 10 million matching pages.
|
|
|
|
|
I've got a sparkie coming round to change my electricity meter to a sparkling new smart meter this morning, and all I know is "he'll be there between 8 and 12" and that "the electricity will be off for about 45 minutes".
So I can't get stuck into anything because I don't know when I'll have an hour's gap in my thought processes. Grr!
Surely they could at least tell you "You're number 3 on his list this morning" which would give me a shorter window? But no ... I have to sit here like a prune twiddling my thumbs ... and no CCC yet to think about ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
I know, it's a strange idea, but there are computers that can operate on batteries. Some even for months and twice as long if I leave away all power draining displays and don't light that thing like a christmas tree with LEDs.
I have lived with several Zen masters - all of them were cats.
His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
|
|
|
|
|
Yep, and my Surface will, plus I can internet it via a phone hotspot while the broadband is out.
But ... it's a single tiny monitor, and a cramped keyboard, and I don't have access to my NAS while the power is out, and ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
CodeWraith wrote: I know, it's a strange idea, but there are computers that can operate on batteries. In the old days, we even had information that was available without either electric power or internet connection.
If my memory is correct, that kind of information was called "books" or "magazines". In my basement, I might be able to find a few of them - and I really should: I should refresh some of my old, worn knowledge that has more or less worn off since.
I might even find newer "books" that I have bought, planning to learn new stuff, but never got around to study them. Maybe a handful of hours is not enough for a deep study, but it could make a good start.
|
|
|
|