Stories
Slash Boxes
Comments

SoylentNews is people

Our Software Dependency Problem

posted by martyb on Thursday January 24 2019, @10:25PM   Printer-friendly
from the ask-the-PHB dept.

darkfeline writes:

Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:

Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.

A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Our Software Dependency Problem | Log In/Create an Account | Top | 59 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by DrkShadow on Thursday January 24 2019, @11:43PM (2 children)

    by DrkShadow (1404) on Thursday January 24 2019, @11:43PM (#791499)

    You're not using external libraries for your programming language. Not using this fine-grained, widespread software infrastructure will lead to serious problems.

    Not using a package for work means you're not outsourcing the development of that code to someone else, someone who often excels at particularly that work, and has tested the particular functionality of that code. By again reimplementing this code, you're exposing your program to unknown failures and flaws in function and inter-workings. Your program's execution now literally depends completely on you, and you must master every minute aspect of your program's workings. Presented this way, it sounds incredibly unsafe. Would anyone do this?

    One big point of shared libraries is that you're not reimplementing code that has already been implemented -- that you're not tasked with implementing it, testing it, fixing it, adding features to it, and so on. Other people do these things, and you sit back and benefit. The argument is that it's much less likely that there is an error in a widely reused package than there is an error in your custom, reinvented wheel of a feature.

    Are there going to be _more_ errors in external libraries? Would there be more errors than if you wrote _ALL_ the included functionality yourself? Will you be able to fix all errors as they occur?

    Would you trust software where every implementation of SSL was coded by each developer, or would you trust software that uses the current version of OpenSSL? How do you feel about your SSH server? Should each distro include their own, custom-written SSH server?

    This article is FUD. In my experience, things _now_ are a _great_deal_ more stable and secure and usable than they were 20 years ago.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: -1, Troll) by Anonymous Coward on Friday January 25 2019, @05:56AM

    by Anonymous Coward on Friday January 25 2019, @05:56AM (#791631)

    implementing it, testing it, fixing it, adding features to it, and so on. Other people do these things, and you sit back and benefit stay up at night dealing with sudden breakage

    FTFY. We are NOT in your fantasy world of rainbow-pooping unicorns and infallible upstream devs; we who write and maintain real code, have to deal with the ugly reality as it is.

  • (Score: 2) by darkfeline on Friday January 25 2019, @09:50AM

    by darkfeline (1030) on Friday January 25 2019, @09:50AM (#791678) Homepage

    I suppose I am partially at fault for choosing that particular excerpt. As we all know, no one reads TFA.

    If you actually read the article, you will find that Russ doesn't argue against adding dependencies, but rather that we should properly vet them and that perhaps we now need tools to help us validate and update our dependencies rather than just download and distribute them.

    --
    Join the SDF Public Access UNIX System today!