Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 24 2019, @10:25PM   Printer-friendly
from the ask-the-PHB dept.

Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:

Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.

A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Immerman on Saturday January 26 2019, @01:01AM

    by Immerman (3985) on Saturday January 26 2019, @01:01AM (#792131)

    Then it behooves you to update your library, doesn't it? The point is not to not update your libraries, it's to not update them automatically without first verifying that the update doesn't break anything.

    I've thought that the ideal way to handle external library updates is for the executable to specify the latest "certified-good" version of the libraries it uses, even supply a copy in it's internal program space. And then let users decide whether they want to use that version, or the latest independently updated version, based on default or program-specific library settings. Probably you'd usually default to "use latest", but having the option to switch to the "certified good" or "last working" version at the press of a button would be very valuable. Ideally the OS would even keep track of library updates so that you could flag a program as buggy and have it automatically revert (for that program) any libraries that were updated since the last non-buggy use.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2