Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:
Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.
A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?
(Score: 4, Interesting) by JoeMerchant on Thursday January 24 2019, @11:29PM (8 children)
I can think of one very good reason we're using one particular library: "standards compliance." We need to import/export images in "DICOM standard format." Except: DICOM is a messy, evolving thing. Better for us to rely on a DICOM package maintained by strangers who live and breathe DICOM on a daily basis and keep up with the evolving standard through them, instead of us adding two or three full time developers to do the same thing in-house.
Can these strangers screw up? Of course they can, which is why we test our code before release. If they ever abandon the library, then we might have to port over to a better maintained package. If there aren't any maintained packages out there, perhaps the standard isn't so valuable after all, or perhaps it has matured and we can rely on the last stable package well into the future.
Do we go grabbing every package in sight, willy nilly, just to add bullet points to our spec sheet? No, _we_ don't do that, but if you do, you might be heading for the type of problems the author is FUD mongering about.
🌻🌻 [google.com]
(Score: 3, Insightful) by The Mighty Buzzard on Friday January 25 2019, @12:32AM
The author's not wrong for simple things but has lost his bloody mind if he thinks you should never use a library. There's not a thing in the world wrong with writing your own interface to someone's web API and only including what needs to be there but it'd be dogfuckingly stupid recreate all the code necessary to send a bloody TLS request instead of using libraries.
My rights don't end where your fear begins.
(Score: 2) by sjames on Friday January 25 2019, @01:47AM (3 children)
Well considered use of a library for a specific purpose makes plenty of sense. The problem is too many projects importing dozens of libraries from all over, sometimes just to use a function or two, or even a few constants. And of course, those imports do their own imports.
(Score: 2) by JoeMerchant on Friday January 25 2019, @02:39AM (2 children)
My most evil dependency is Qt - my code is f-ing married to it, and there's not a viable alternative that does what it does. Of course, Qt is quite well supported and the quality has been generally good. If it ever goes downhill I guess I'll just use the old reliable versions instead of updating to the latest all the time like I do now.
🌻🌻 [google.com]
(Score: 2) by sjames on Saturday January 26 2019, @02:58AM (1 child)
GUI libraries are a real issue. On the one hand, it's a big dependency ball and the dependency runs deep since it dictates the entire flow of execution. On the other, it's the only sane way to have a GUI at all. I certainly wouldn't expect you to reinvent that wheel and speak raw X protocol from your code.
(Score: 2) by JoeMerchant on Saturday January 26 2019, @10:38PM
Then X becomes the dependency - yeah, it's the only sane way...
Someone should submit the story about Google and Oracle and the API copyright cases currently flipping over in appeals court - that's a mess waiting to explode.
🌻🌻 [google.com]
(Score: 3, Informative) by darkfeline on Friday January 25 2019, @09:57AM (2 children)
I suppose I am partially at fault for choosing that particular excerpt. As we all know, no one reads TFA.
If you actually read the article, you will find that Russ doesn't argue against adding dependencies, but rather that we should properly vet them and that perhaps we now need tools to help us validate and update our dependencies rather than just download and distribute them.
> Do we go grabbing every package in sight, willy nilly, just to add bullet points to our spec sheet? No, _we_ don't do that
May I introduce you to the modern NPM/Node.JS programmer, where we have such lovely things as the is-odd package, a package with a million weekly downloads that implements a single function that returns true if a number is odd. Of course, there's the corresponding is-even package, which is implemented as !isOdd.
Join the SDF Public Access UNIX System today!
(Score: 2) by JoeMerchant on Friday January 25 2019, @01:53PM (1 child)
Not true, I read TFA in at least 1% of cases that I comment on ;-)
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Friday January 25 2019, @11:54PM
Anathema!