• Arghblarg@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 hours ago

    Ah, good. I wonder why it isn’t used more often – this wouldn’t be such a huge problem then I would hope. (Let me guess – ‘convenience’, the archenemy of security.)

    • LiPoly@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 hours ago

      Because it doesn’t really solve much. After every update of external libraries, do you go through all the diffs to see if there is malicious code? Of course you don’t. And even if you would, it’s not even always possible to spot it. So all locking packages does is postpone the problem to when you eventually update. As an added bonus, you’re now vulnerable to all the legitimate issues that get fixed in those updates you’re not installing regularly.