I mean, we have like N=47,362 incompatible chat protocols and easily exp(N) worth of JS frameworks and maybe _one_ serious attempt at thinking about distributed software update security (TUF) which every time I even mention, a dozen people pop up to argue the inadequacies of?
Conversation
I guess I don’t feel that strongly about whether there should be fewer actors to trust or not.
I do feel strongly that projects shouldn’t rewrite code just to avoid dependencies.
2
3
For example, a *lot* of the reason software is so unfriendly to non-Latin language speakers is because people who speak those languages just homebrew their text handling instead of using libraries. This is manifestly unfair to most of the world.
4
1
7
there is an important third category of options, which is to reproduce the desired functionality of a library.
good text handling is important to users, so it is equally important that more programmers practice the implementation of good text-handling libraries (from scratch).
2
With all due respect, this is implying that English speakers can write, say, Arabic text handling just as well as Arabic speakers can. Not only is this false, this sentiment has ugly cultural implications.
2
3
Expecting everyone to contribute to one monolithic culture has its own problems. Would building a software ecosystem for Arabic speakers be easier if it didn't need to fit in Latin-centric infrastructure?
1
I think this is key to argument: _small_ deps are the concern, and the putative "harm done" by rewriting a dep (because you don't trust it or simply don't _like_ it -- deps are always a bit of an imperfect fit) is proportional to the dep's size. Big deps matter, but are accepted.
1
1
6
I dunno. libsodium is a small dependency. But rewriting that puts users at risk.
2
1
This Tweet was deleted by the Tweet author. Learn more
Crypto is no less dangerous to rewrite if it’s 20 lines or 200.
3
It can also be dangerous to reuse code that's poorly implemented or maintained. This is particularly true with cryptography. I often see libraries as a painful compromise because I know I could do a better job if I had the time to invest. Sometimes I can't make that compromise.
For example, over the years, I've found myself rolling my own sessions for web services, because it's too important to leave it to someone else and I can never find any options doing it up to my standards. It doesn't need cryptography beyond a standard CSPRNG when done right.
1
It depends a lot on the language ecosystem. In some languages, I try to find a library to fit a use case and I can't find anything that's properly maintained or meets my standards. This happens a lot with the traditional Java ecosystem. Each dependency also gives me concern.
1
2
Show replies
Yeah, the flip side of “never write your own ___” is when everyone ends up uncritically using a poor off the shelf implementation, whose flaws then end up getting revealed
1
2
I wrote about on my feelings on this here to try to steer other people away from adding external dependencies and then being disappointed that I won't accept the code:
grapheneos.org/build#library-
I've often had bad experiences where I think a library looks good and am proven wrong.
1
1
Show replies