Tweak "pinned dependency" discussion #999
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Pinned-Dependency discussion has a number of problems. First, it doesn't even define the term. Let's fix that. Next, it *WAY* oversells what pinned dependencies can do for you. All they do is fix the dependency. They don't really prevent compromised dependencies; if you pin an already-compromised dependency, you make it worse, because now you don't automatically update to the corrected dependency if there was a later non-malicious version. It often slows automated security updates, so they can actually cause a *reduction* in security (since most updates *fix* security vulnerabilities instead of introducing a compromise). In particular, pinned dependencies are usually a *good* idea for applications but you should NOT pin dependencies in libraries. If a library pins to a version, and the library is only updated 1/year, and the ecosystem requires only 1 version of a library (true for practically all except JavaScript), users can't update any dependencies more than 1/year (and in practice they'll never be aligned). At least a hint of the downsides of pinning should be admitted here. For a larger discussion, see, for example, https://docs.google.com/document/d/1x_VrNtXCup75qA3glDd2fQOB2TakldwjKZ6pXaAjAfg/edit# A better argument for pinning is the reproducibility it brings when using pinning inside an application. I suggest focusing on that first. Pinned dependencies are still typically a good idea for applications, but they should NOT be oversold. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This is mentioned in the README, but those details should really be here in the detailed documentation, not in the whole-project README. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
laurentsimon
approved these changes
Sep 10, 2021
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
…dependency-doc
…eeler/scorecard into pinned-dependency-doc
|
I believe I resolved @laurentsimon 's comment. |
The scorecard project only intends to enforce pinned dependencies on applications (not libraries), as noted here: ossf#689 However, that's not documented in docs/checks.md! This commit makes it clear that this is *intended* to only apply to applications. It also notes that it's not possible for an automated tool to always categorize software correctly (especially when a project is both). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
laurentsimon
approved these changes
Sep 12, 2021
|
We need to update |
|
Good catch... I did not even realize it when reivewing. @david-a-wheeler can you send a new PR? Update the yaml file, then run |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Pinned-Dependency discussion has a number of problems.
First, it doesn't even define the term. Let's fix that.
Next, it WAY oversells what
pinned dependencies can do for you. All they do is fix the
dependency. They don't really prevent compromised dependencies;
if you pin an already-compromised dependency, you make it worse,
because now you don't automatically update to the corrected
dependency if there was a later non-malicious version.
It often slows automated security updates, so they can actually
cause a reduction in security (since most updates fix
security vulnerabilities instead of introducing a compromise).
In particular, pinned dependencies are usually a good idea for
applications but you should NOT pin dependencies in libraries.
If a library pins to a version, and the library is only updated
1/year, and the ecosystem requires only 1 version of a library
(true for practically all except JavaScript), users can't update any
dependencies more than 1/year (and in practice they'll never be aligned).
At least a hint of the downsides of pinning should be admitted here.
For a larger discussion, see, for example,
https://docs.google.com/document/d/1x_VrNtXCup75qA3glDd2fQOB2TakldwjKZ6pXaAjAfg/edit#
A better argument for pinning is the reproducibility it brings
when using pinning inside an application. I suggest focusing on
that first.
Pinned dependencies are still typically a good idea for applications,
but they should NOT be oversold.
Signed-off-by: David A. Wheeler dwheeler@dwheeler.com