mario4tier
commented
4 months ago Thanks for your confidence, but you should not trust me neither :smile:
My Github account could be hijack etc...
A few relatively good news with TA-Lib:
- 100% open-source and can independently be audited.
- Can be verified to NEVER do any network access.
- Generated code (and test) to mitigate human error (with array/buffer overflow).
- Development is moving at turtle speed (if at all), so changes are easy to track.
Opinion
I think the bigger problem is NOT with open-source projects.
Guaranteeing a complete secure developer setup is hard. Example:
VSCode add-ins are blindly giving 100% access to the host... and many of these add-ins are closed source.
summa-code
With recent incident with XZ utils in Linux, how do we trust the contributing authors? Not questioning the authenticity of the original author. But not sure about the other contributors.