Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 24 2019, @10:25PM   Printer-friendly
from the ask-the-PHB dept.

Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:

Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.

A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by rigrig on Friday January 25 2019, @12:43PM (1 child)

    by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Friday January 25 2019, @12:43PM (#791701) Homepage

    Sure, that is a direct quote from TFA. And then the author answers it in the next paragraph

    We do this because it’s easy, because it seems to work, because everyone else is doing it too, and, most importantly, because it seems like a natural continuation of age-old established practice.

    After which he gets to the point

    But there are important differences we’re ignoring.

    So yes, you can (and should) use dependencies instead of reinventing all wheels yourself, but pay attention to what you are including.

    And there it looks like the Node.js ecosystem has a problem, take for example escape-string-regexp [npmjs.com]:
    This is a trivial 8-line piece of code [github.com], with a 10:1 meta-data to code ratio...
    Given the choice, simply copy-pasting this seems a lot saner than adding it as a dependency.... But a whole bunch of "real" packages do depend on it, so you don't get that choice if you want to include any of those.
    Which means you end up with a ton of dependencies, so it's pretty much impossible to vet them all, and you end up with problems like this [lwn.net] or this [lwn.net].

    --
    No one remembers the singer.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Friday January 25 2019, @01:59PM

    by Anonymous Coward on Friday January 25 2019, @01:59PM (#791730)

    True. But main problem is there is no review of the code changes in these dependencies.

    Copy/pasting is a problem in itself.