I'm running linux, millions of lines of code i never verified, and may or may not have been verified by trustworthy people. In the end it's one big risk. When i'm developing in go, it's pulling in many lines of code i don´t have time for to validate, same with java, so many jars. Who knows what i'm running...
I don’t know where to start with the comment above. First, different code bases receive different levels of scrutiny, so factor this in. Second, there are tools that can help with supply chain security. Third, security isn’t all or nothing; we can and do make decisions under uncertainty. Fourth, who is accountable when things go badly?
And every distro has a different mix of packages that they install by default. There's no "standard" linux installation.
And cosmic rays could cause bit flips, causing a patient record to have an undetectable error, leading to a surgeon removing the wrong kneecap.
I’m exaggerating to make a point here. If one builds a threat model, one can better allocate one’s attention to the riskiest components.
All of us operate in an uncertain world. Flattening this into “it is all a mess” isn’t useful.
Saying “machines are dangerous” or “we all die sometimes” isn’t fitting after Randall is maimed and pulverized from a preventable industrial accident where the conveyer belt dragged him into a box forming machine. Randall should not wear long sleeves. Randall should not have disabled the “screaming means something has gone wrong” sensors. Randall should not run the system at 5X speed while smoking meth.