Tim Zhang
I work on deps.dev!
Session
Number 5 will shock you!
Forget what you think you know about robust dependency graphs, the security gains of living at Head, and those supposedly solid requirements.txt. We'll get down to the nitty-gritty of open source security, giving you real-world large-scale insights to understanding common misconceptions across programming ecosystems.
While it’s true that there is only one dependency graph (for you) (*right now) it’s not always understood what impact this can have at an ecosystem level.
We’ve got ecosystem level stats on just how many PURLs map to multiple different packages, dependency graph shifts that happen faster than you can type git commit, and some surprises with Git (im)mutability!
We will talk about vulnerabilities in your transitive dependencies, understanding what even ARE your dependencies, and trying to identify what that one (*for certain values of one) CVE you were supposedly affected by actually is. (Not to mention what, if anything, you can do about it.)
You’ll leave this talk with a better understanding of open source edge cases and just how common they are. You’ll be shocked, amazed, horrified, and hopefully a little optimistic about the state of open source security and your place within it.