Get the latest tech news

Can we get the benefits of transitive dependencies without undermining security?

One of life’s great pleasures is trust: having confidence in another person to do the right thing warms the hearts of both parties. Despite the cynicism that we sometimes mistake for profundity, modern society would be impossible without a large degree of trust, including trust between people who don’t know each other.

In this post I’m going to argue that the growth in transitive dependencies in software is the equivalent of jamming our door open and hoping for the best — we are putting too much trust in things we don’t and can’t know in detail. Processes have been such a successful security abstraction that we often forget to think of them as an explicit concept: they enable us to place reliable, easily reasoned about, and impermeable boundaries between different pieces of software. Despite this depressing answer, I don’t think we want to turn the clock back to the time before the explosion in transitive dependencies: they have allowed us to give our software more features while making it cheaper to write and more reliable — quite the trio!

Get the Android app