Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> This is a bit cynical isn't it (...)

No, it's called security.

Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.

What leads you to believe that good intentions are enough?



> Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.

Following this logic, we should all stop using any and all software for which we haven't personally inspected the full source code for, since this could happen to any of them.


That's the extreme end, sure.

A more reasonable take would be to assess your risk tolerance and the possible benefit for each piece of software you install, and then make the best decision for yourself based on that assessment.

For some people, that means not running an extension that provides minor quality of life improvements due to the possibility of it turning malicious further down the road. For other people, it means the opposite.

Not sure why every security-related conversation devolves into one extreme vs. another extreme. Security must be appropriately balanced against risk tolerance, inconvenience, and a number of individual concerns and preferences.


If you personally think extensions are too much of a security risk for you, sure, don't use them. But please don't comment "ackshually extensions are insecure and using them is a bad idea" on every post about a browser extension. We already know the risks, it's explained when you install them, we don't need to hear the same lecture every day.


>But please don't comment "ackshually extensions are insecure and using them is a bad idea"

I haven't? My first comment on this entire topic is the one you are replying to... And it can be summed up as "risk tolerance and security decisions is personal".

Yikes.


I really shouldn't have to explain this, but that statement wasn't directed at you specifically.


>If you personally think

How am I supposed to know a direct reply to my comment, saying "if _you personally_" is not actually directed at me personally?

If it wasn't directed at me, I'm not sure why you replied to my comment at all.


Your comment doesn't exist in a vacuum, it's part of a longer reply chain, go read it.


>Your

Are you talking to me in this comment, or just generally? I have trouble telling.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: