Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 5 submissions in the queue.

Our Software Dependency Problem

posted by martyb on Thursday January 24 2019, @10:25PM   Printer-friendly
from the ask-the-PHB dept.

darkfeline writes:

Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:

Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.

A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Our Software Dependency Problem | Log In/Create an Account | Top | 59 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Friday January 25 2019, @07:20AM (1 child)

    by Anonymous Coward on Friday January 25 2019, @07:20AM (#791652)

    IMHO, there's a middle ground. You'd be nuts to implement your own crypto routines and image libraries in C. OTOH, a few years ago a bunch of web sites failed because of a JavaScript one-line library that was being linked by a bunch of people.

    Good development is somewhere in the middle. The one time I found points of conflict was where somebody wanted me to try some new build system that required Python. My makefiles worked fine. I rejected that. I'm sure somebody loves the Python based build system for some reason... they started with it, they should stay with it. Don't force that person to switch to makefiles. Don't force me to use your build system... unless it's part of some massive integration where everybody has to do it the same way. Then you just have to suck it up sometimes, and sometimes the idiots who throw the kitchen sink into dependencies win, and then stuff that used to be meaningful gets pared down to one line, then somebody figures we could live without it and... ooops.

  • (Score: 0) by Anonymous Coward on Friday January 25 2019, @07:51AM

    by Anonymous Coward on Friday January 25 2019, @07:51AM (#791657)

    There is always middle ground, but there is no room for that on the internet. This is where we RAAAGE baby!