I am a software developer doing federal government contract work on a classified system, and I am trying get the okay from my IT department to use this software due to the open source nature. I’ve looked everywhere I can think of to find information to put their worries of malicious code attached to these projects, but I can’t seem to find much concrete information. Does anyone have or know of information that might help me put my IT department’s mind at ease?
Electron is basically Node.js stapled to the bits of Chrome that render web pages. It is used for a number of commercial apps. Both Electron and Atom can be built from source, so if your IT department wants to be 100% sure that they know what’s in them, they can look at the source code and have you build from that. New releases are built automatically, so there’s not any human interference between the source code and what you can download from the GitHub releases page. An Atom package could carry malicious code, but every package is open-source as well. There’s nowhere that bad code could be hidden away from the user unless you’re getting an Atom executable from a third-party source.
What sorts of assurances are they looking for?
I know that some IT departments inherently trust corporations more than random open source projects because they know that corporations have a reputation to uphold. Other than the fact that the entirety of Atom and Electron are open source, Electron and Atom were both created by and the projects are owned by GitHub. Perhaps that will help?
Thank you. I said most of this to them before, but there are a couple things I haven’t, so maybe this will help some.
I’ve said this to them before, but I’ll remind them again. I’d think that would be enough and it probably would be if not for the continuous stream of new requirements coming from the federal government. Honestly, I’m not sure what else they are after.
Thank you both