[GoLUG] Mailing list, long term.

Mon Aug 18 22:30:11 EDT 2025

Barry Fishman wrote on 2025-08-18 10:19:

> My impression is that the JS repository has distributed a lot of 
> dangerous code, and is very badly supervised.

If you mean Node repos, yes it has been targeted a lot due to its
popularity.

> It's code is pulled in by the web browser

A lot of Node repos' code is run on the server side - back-end code.

> Although the browser may be heavily sandboxed, it still seem to
> trigger a lot of internet CVEs.

A browser is a very large application by its nature and since it is the
most common interface to the internet, it does get more CVEs than most
applications that are not users' primary internet facing software.

Yet it's exceedingly rare for users to get "infected" via web browser 
considering the billions of daily users across billions of devices.

> Python doesn't dynamically load its code from the internet

Yet one line of Python, whether malicious or incompetent, can have
devastating effects with its access to the user's home folder.

It is not sand-boxed at all.

i.e. I argue it's much, much safer for a user to run JS in a browser
than the equivalent functionality in Python.

Plus, JS is supported everywhere and running Python on many platforms is
difficult to impossible for average users.

> Since this thread seems to be the usual response to the "I want to
> write some code to fix this problem I have found", which is "lets
> all discourage them from doing anything"

I disagree, it's more like "Have you considered $x?" and "your assertion
of $y is not well supported", with attempts to explore these issues.

Could save a *lot* of pain during the development process by hashing out 
issues in advance.

> I will add:
> 
> It might be nice that when you worked out and tested the initial
> design, of the system, and you are ready for it to be used, you make 
> documentation for the internet RPCs it uses available.  This would
> allow others to write their own clients (or even servers) in
> whatever language they like.  (For example a Emacs client to go with
> the ones for IRC, Mastodon, Matrix, etc.)

Documenting some API that clients written in other languages can adhere
to is a good idea.

It is something to consider before writing any code, so one's own code
also adheres to it.

> But this would be when you are ready for resilience testing with 
> buggy/malicious clients.  Unfortunately, once a server appears
> anywhere on the internet people will find it and try to hack it.

Indeed, this is true.

Adding security afterwards has been shown to be problematic; we've all
seen the Windows fiasco(s) of the 1990s, for example.

Yet another issue to hash out in advance.