[GTALUG] security threats of Open Source

D. Hugh Redelmeier hugh at mimosa.com
Thu Jan 23 16:37:29 EST 2020 

| From: o1bigtenor via talk <talk at gtalug.org>

| In this vein - - - - a contact who in computer terms calls himself a dinosaur
| refuses to allow javascript on his computers doing all his browsing on text
| based browsers. In his opinion javascript is a serious accident already in free
| fall. What you're sharing only emphasizes that. Maybe its time to join his
| anti Javascript position?

The issues are a little more intricate.

Note npm is a repo (mostly?) for JavaScript to run under node.hs.  
node.js is a server-side thing.  It runs JavaScript on the server.  Not in 
the client (browser).

JavaScript itself isn't terrible.

What is unfortunate, I think, is the unfettered creativity JavaScript
in the browser allows web designers.  They misuse it, just like they
did Adobe Flash previously.  To some extent this is caused by the good
sides of JavaScript: how easy it is to learn, how easy it is to wip up
complexity, how easy it is for the page creator to take control of the
browser experience.

What I was talking about was how easy it is to inject malicious code into 
the ecosystem.  That isn't actually the fault of the language.  (It is 
imaginable that one could design a language that prevented some abuse.)

In fact, the language+browser have been designed to limit the damage
that could be inflicted on the client side.  The npn problem is mostly
server-side, I think (I'm not sure).

Making something easier (cheaper, faster, more understandable, ...)
allows it to be used more, often to excess.  Unexpected side effects
can ensue.

- increasing efficiency of cars makes driving cheaper so people
  drive more and end up using more total energy (gasoline).

- computers became a lot cheaper.  So a lot more money is spent on
  computers.

- programming has become easier.  So a lot more pointless programs have
  been created.

- when I worked on optimizing compilers, I thought that I was trying
  to make existing programs run faster.  Then it struck me that it
  allowed programmers to write programs in a simpler and clearer way
  and have the compiler eliminate the performance cost.

Here's a random example of npm use:

<https://www.electronjs.org/>

More information about the talk mailing list