alt Hacker NewsYes, but it requires people. Typically, you identify a package you want (or a new version of a package you want) and you send off a request to a separate security team. They analyze and approve, and the package becomes available in your internal package manager. But this means 1) you need that team of people to do that work, and 2) there's a lot of hurry-up-and-wait involved.
Replies
irishcoffee • yesterday at 11:55 PM
> Yes, but it requires people.
I've heard rumor of a few 100k people laid off in tech over the past few years that might be interested.
➕ show 1 reply
Doesn't even require that many people. The analysis can mostly be automated, and the request process can be handled via peer review. Having one or two people for every 100-200 developers who can give sensible advice, provide some general oversight of what's going on, and step in to say 'no' occasionally does help though.
Also means you can put an end to a popular antipattern that has grown in recent years: letting your production infrastructure talk to whatever it likes to download whatever it likes from the Internet.