What to do when you simply cannot trust anyone or anything anymore?
I've found this PHP library for detecting/guessing the language of a given string: https://github.com/patrickschur/language-detection
I would have massive use of this. I would really like to use it.
But I cannot.
All I can think is this:
What if, tomorrow, that developer is either compromised or goes rogue and updates his code with Bitcoin-stealing malware? What if that code is already in the library, waiting for the right moment? Since not even the most used FOSS projects in the world seem to get audited at all by anyone, what are the odds that this super small and obscure one will be safe? Very slim.
I know nothing about the author. I cannot possibly, even if I really tried, assess their competence and reliability. Hell, I don't even really trust Github itself, especially not after it was sold out to Microsoft.
This is handicapping. The only way I could "trust" it would be to ignore all concepts of security and "just believe". I cannot look through all that code, even though it's a very small library. There's tons of files and they can change at any moment. Composer will fetch the new version some day and I won't be sitting there checking all the changes. I know I won't. I even set up and streamlined such a system in the past and I quickly stopped checking the updates. Even with just a few changes, it was just exhausting. I couldn't keep it up.
Is this ever going to get some sort of sensible solution? Some sort of built-in sandbox so that each library runs in its own little vacuum and is only able to send out the "answer" back to the main script or something? I don't understand how others are able to trust all these random strangers in a world absolutely full of scams and evil people lurking behind every corner.
Use audited and approved libraries. That's the answer.
There are paid product/services (e.g. Sonatype, Black Duck) that will run automated tests on random libraries that you submit before using. And there are analysers that inspect code as it runs to make sure that it is not doing unexpected things.
If you want the freedom to use any random person's code, then you take on the risks associated with that.
Else, you have to take on the task of writing everything yourself. You need to weigh the benefits of using strangers' code against needing to write and test everything yourself. The world has decided to "trust but verify" in order to develop at speed.
Welcome to DevSecOps.