Schneier on Security

Ray Dillinger • April 8, 2026 1:42 PM

I have been avoiding most “modern” programming languages because each program tends to come with a transitive closure of dependencies imported from so many sources all over the Internet that it seems flatly impossible that these sources are all trustworthy and flatly impossible that there is any unified team trying to make sure that they are all trustworthy.

And that dependency tree can change after the program is written. Usually these dependencies, if missing, get dynamically loaded from some random Internet site, and run without so much as a notification to the user that this is happening. Some library maintainer decides it’s okay to change their dependencies, and suddenly the project you wrote three years ago and haven’t changed is now downloading and running code that’s entirely outside the set of things you have accepted the risk to run, from a source you have no idea whether to trust or not, without your permission.

And these libraries are for the most part undocumented – or at least undocumented in any way that would be discoverable and verifiable by any standard procedure or by someone who’s not already downloading and using them. I mean, oh, yeah, there’s a website somewhere. But all these websites are organized in different ways and may omit crucial information or hide it six levels down in a click-random-things hierarchy most of which doesn’t have much to do with the crucial information you’re after.

The organization or hosting of these websites can change on somebody’s whim, the URLs are random hosts you never heard of, any of them could be run by anybody including attackers, and neither the libraries nor their documentation is even signed (other than some which is “trust me bro” self-signed by the authors). None of it is resident on your system where you’ll know if it has changed. None of it is resident on my system where I could use it in places or circumstances where I do not want the machine connected to the internet. None of it is even resident on my system where I could rely on being notified if it had been changed.

Just, no. I try building a program and watch, aghast, as the machine goes and downloads code from a thousand different completely unknown and unvetted hosts, fails to install locally resident documentation for any of it, fails to provide any uniform interface to whatever documentation exists, and spits out something I am expected to run.

There is not even an accepted stable specification for all these libraries, and nobody who is testing new versions of each to see that it meets any such specification. Nor is there a central repository with a gatekeeper and a unified bugtracker for all of this stuff. Finally none of it is even packaged for, signed by, and served by for any consistent identifiable signing authority like a distro maintainer that tracks and announces security issues and bugs. Therefore no distribution maintainer is even testing new specific versions of it in combination with specific versions of other things accepted into the same distro as dependencies.

Nobody other than the packager/author is tracking bugs or security issues or signing new releases, so each one basically all comes down to “trust me bro” with no reference to anybody whose work depends (and the value of whose signature depends) on all of it being tested and clean.

No fecking way am I ever going to take the having all that on my own system to develop software. And if I did build software that way I’d wind up with a program I could not in good conscience ask any client, user, or customer to ever trust.