top | item 23179976

(no title)

haack | 5 years ago

> Should you review the code of all imported modules? This is virtually impossible.

I wouldn't be surprised if this was exactly the direction that Deno was trying to move towards. Fewer direct dependencies with some amount of transitive trust.

I.e. "[Deno] has a set of reviewed (audited) standard modules"

> Windows CP without SP 2 and Internet explorer bellow 6

I get the point you're trying to make with this hyperbole but browsers still let you view http pages (by default).

> Deno must disable http by defaulkt and provide a flag to re-enable it. This is factually a security issue in Deno.

Again I agree with your idea about disabling by default but there is another perspective (and I think Ryan deserves some empathy).

discuss

ecares|5 years ago

At this point, there is clearly a vuln in a tool that brands itself as secure and in opposition with another project.

The marketing around Deno has been made toward that and it makes no sense to reach 1.0.0 with such a big security issue unhandled.

Also, this part is even more frightening https://github.com/denoland/deno/issues/1064#issuecomment-43....

At this point, it is clear that Deno is lying for marketing reason by calling itself secure.

Of course Ryan deserves empathy, so does Bert. But in the meanwhile during their talks at major conferences, they have trolled a lot another project. The maintainer of that other project now get weekly/daily pings from deno supporters trolling them.

Deno's culture seems big around trolling atm, a CoC could have fixed it, the th (B)DFL has decided another way.

haack|5 years ago

It seems like this is not simply about the decision of whether to allow http by default and security of dependencies.

I'm not familiar with the surrounding politics and don't particularly want to be involved, but I appreciate the explanation.

unknown|5 years ago

[deleted]