I'm not arguing, but the standard response (caveat emptor, basically):
> pull that code in without looking at it
Is no longer reasonable. The dependency chains are too vast to expect the end-user to be able to audit the whole thing.
There are a couple of options:
1) Don't use open-source code, and make sure that commercial code that you use doesn't have it.
2) Have some kind of "regulated middleman" auditors, or certification authorities, that can certify (and probably hash) "approved" open-source chains.
They both suck. I worked for a company that did #1. They hired a company (can't remember the name, but it started with "P") that scanned our entire codebase, looking for open source.
#2 is likely to result in either corruption, or "roadblocks," where we can't use new fixed libraries, because the chain hasn't been audited, yet.
> Is no longer reasonable. The dependency chains are too vast to expect the end-user to be able to audit the whole thing.
Each open source project is different. For example I'm using:
Racket: Only the main distribution that is created by the development team and a few packages, and ver few additional packages, like 1 or 2 for viewing the assembler version of the compiled functions.
Python: Also only the official distribution, NumPy and perhaps 1 or 2 more packages. The batteries are included, so it's not necessary to download too much.
LaTeX: As many packages as I can add, my coworkers hate me. Each package has a different author and chains to more and more packages. But I'm using MiKTeX and I thrust the maintainer whoever he is [1]
[1] I had to google the name of the maintainer. He is Christian Schenk, I was convinced his name was Michael or something like that.
It sounds like you want to get something for nothing. If you want software that meets some given standard, then someone has to invest the effort to make that happen. This isn't always expensive, but it's never free. So your options are indeed that if that should happen, then it has to be done by the author, an intermediate party, or the consumer. Trying to make the author pay when they're not getting anything out of it is a great way to kill FOSS outright. That's not to say that "open-source code" is some boogeyman that has to be kept away, it just means that you gotta pay someone to make it meet your standards. Heck, offer the original author a contract and you'll solve the problem for everyone, and other problems besides.
> pull that code in without looking at it
Is no longer reasonable. The dependency chains are too vast to expect the end-user to be able to audit the whole thing.
There are a couple of options:
1) Don't use open-source code, and make sure that commercial code that you use doesn't have it.
2) Have some kind of "regulated middleman" auditors, or certification authorities, that can certify (and probably hash) "approved" open-source chains.
They both suck. I worked for a company that did #1. They hired a company (can't remember the name, but it started with "P") that scanned our entire codebase, looking for open source.
#2 is likely to result in either corruption, or "roadblocks," where we can't use new fixed libraries, because the chain hasn't been audited, yet.