The Pitfalls of Third-Party Libraries
Categories:
- The Pitfalls of Third-Party Libraries
Today, we discussed a recent vulnerability in a third-party logging library that can be easily exploited to execute remote commands. At first glance, a logging library seems completely unrelated to remote command execution, but over-engineered third-party libraries are everywhere.
The more code I read, the more I realize how poor the quality of much open-source code is, regardless of how many stars it has. Stars represent demand, not development quality.
The benefit of open source is that more people can contribute—features are added quickly, bugs are fixed, and code is reviewed—but the skill levels vary greatly.
Without strong submission constraints, code quality is difficult to guarantee.
The more code there is, the larger the attack surface becomes.
Although reinventing the wheel is generally discouraged, if the product requirement is for a baby stroller wheel—a plastic wheel that never breaks—adding an airplane tire only increases the attack surface and maintenance costs. Therefore, if you only need a baby stroller wheel, don’t overcomplicate it.
Maintenance costs are high. Third-party libraries require dedicated processes and personnel to maintain. For example, Huawei’s customized testing framework directly caused test cases to fail when the compiler was upgraded. Conflicts between upgrading the testing framework and the compiler required significant time to continue customizing the solution. As a participant, I deeply felt the difficulty of modifying third-party libraries. If the modifications involve features that can be merged back into the open-source library, that’s manageable. However, invasive custom development for specific needs makes maintenance extremely challenging.
Huawei has established a series of processes for dealing with third-party libraries, but they come with significant hurdles.
The barrier for entry is extremely high. Adding a third-party library requires review by an 18-level expert and a 20-level department head. Essentially, only well-established third-party libraries can be used.
All third-party libraries are placed in a thirdparty folder. During full compilation, the CI system compares them with the original repositories, strictly prohibiting invasive modifications.
A specialized tool tracks the versions of all third-party libraries. This part is managed by outsourced personnel. If developers apply to upgrade a version, they must submit a request for department head approval.
It’s difficult to get a department head to handle such matters. When a process becomes overly cumbersome, it effectively discourages you from taking that action.
When it comes to third-party libraries, maintain a skeptical attitude and trust in your own team’s development.