Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:
Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.
A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?
(Score: 2) by AssCork on Thursday January 24 2019, @11:19PM (2 children)
The solution to this last part would be "unit tests", wherein a developer spends 250% of their time coding 'tests', then 50% of their time coding actual code to pass the tests.
Source: The internet (because no psychopath would actually do this)
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 2) by DannyB on Friday January 25 2019, @04:06PM (1 child)
You Knit tests may not uncover malware hidden in one of your dependencies. As long as all the unit tests are passed you won't notice anything.
The lower I set my standards the more accomplishments I have.
(Score: 2) by AssCork on Monday February 04 2019, @09:47PM
Build tests take care of that before signing and staging.
And again during Release.
Just popped-out of a tight spot. Came out mostly clean, too.