I'm curious about the different methods people use to check third-party code before running it on their machines. Do you have a particular routine? Do you sandbox everything, or do you only skim the entry points? Maybe you rely on the reputation of the source? I'd love to hear about your real-world habits and workflows!
5 Answers
When I worked at a bank, we had this whole "certification" process for third-party code. Most of the time, we'd download the source code and just create our versions from it. It sounds risky, but that’s how we handled it!
In my experience with FDA-regulated software, it's a real hassle! We have to vet the entire project from licenses to bug reports and static code analysis. Everything gets logged for FDA audits. But for other projects, I’ll check the license and run a snyk report on it.
Honestly, I don’t use third-party code unless I fully understand it. If it’s not straightforward enough for me, I skip it unless it's from a well-known project or companies I trust to have done proper vetting. It’s a common pathway for malware.
That’s the big dilemma with open source; vetting is so labor-intensive that it often doesn’t happen. That’s why you see secure Linux versions lagging behind the others.
These days, I've started running AIs in a non-admin user account to limit potential damage. For tools on Linux, I usually rely on Docker. It adds an extra layer of safety.
Certified firing if something goes wrong! Sounds like a simple way to attach it to someone.