Earlier today I asked a question on Twitter
Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are). But during the thread I also think I figured how to be start collecting this data. That’s a post for the future.
Now, I should clarify, it think pinning dependencies is a fine idea. I imagine my question was misread by a number of people to be some secret attempt at pushing an agenda. Sadly it was not. I am a bit harsh in the thread on people trying to pass off opinion as fact. The whole point of the question was to find some data, then things got weird.
I want to address something I realized in this thread. There is no data on this point, yet there is quite a bit of guidance in that thread. Everyone just sort of talks past each other. Some people are horrified by the idea of not pinning your dependencies. Some think pinning dependencies is the worst thing ever. It’s all quite fascinating. Everyone has an opinion, nobody has data. How often do we make decisions based on how we feel about something, but then end up confusing our feelings for facts? I think all the random odd views we can see in that thread are the result of different opinions. Opinions based on how someone feels. Data is like a line in the sand you can always see, opinions are like waves washing back and forth. Sometimes weird things wash up.
It’s easy to get caught up things we want to believe to be true. I know people who still maintain changing your password on a regular basis is more secure. There is actual research that shows changing your passwords on a regular cadence is less secure than using one very long password, actual real research. But because it feels wrong, it must be wrong.
I find myself doing this all the time. I might have a certain opinion and it’s really hard to objectively unlearn something. My favorite example I use of this is I once thought PGP was the best possible form of secure messaging. The keys are generated locally, you can pass messages via any medium. You can send messages to nearly anyone. In theory it’s a great system! But in reality it’s terrible. It took me a long time to realize my love of PGP was mostly emotional. The data was clear, PGP has a lot of problems. I try not to use it now.
I’m not trying to make anyone feel bad for whatever view they may or may not have in this post. I wanted to scribble down some quick thoughts because the whole conversation reminded me that opinion is not fact. Facts need data. And sometimes we believe something for so long, we don’t even notice we are trying to pass off our opinions as facts.
There’s an old hacker saying “question everything”. It’s very relevant in this discussion.
It’s relevant in every discussion, especially this blog post.