I've found this PHP library for detecting/guessing the language of a given string: https://github.com/patrickschur/language-detection
I would have massive use of this. I would really like to use it.
But I cannot.
All I can think is this:
What if, tomorrow, that developer is either compromised or goes rogue and updates his code with Bitcoin-stealing malware? What if that code is already in the library, waiting for the right moment? Since not even the most used FOSS projects in the world seem to get audited at all by anyone, what are the odds that this super small and obscure one will be safe? Very slim.
I know nothing about the author. I cannot possibly, even if I really tried, assess their competence and reliability. Hell, I don't even really trust Github itself, especially not after it was sold out to Microsoft.
This is handicapping. The only way I could "trust" it would be to ignore all concepts of security and "just believe". I cannot look through all that code, even though it's a very small library. There's tons of files and they can change at any moment. Composer will fetch the new version some day and I won't be sitting there checking all the changes. I know I won't. I even set up and streamlined such a system in the past and I quickly stopped checking the updates. Even with just a few changes, it was just exhausting. I couldn't keep it up.
Is this ever going to get some sort of sensible solution? Some sort of built-in sandbox so that each library runs in its own little vacuum and is only able to send out the "answer" back to the main script or something? I don't understand how others are able to trust all these random strangers in a world absolutely full of scams and evil people lurking behind every corner.
http://dlvr.it/S0zGfN
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment