When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
Replying to @pcwalton
I still hate the high dependency count. It’s a nightmare. In rust as well as in javascript. I think dependency groups would help (grouped by org)
5 replies 0 retweets 21 likes -
-
Replying to @pcwalton
How do you vet and security check them all? Any process one can put in place scales badly with the number of dependencies.
2 replies 0 retweets 9 likes -
Replying to @mitsuhiko
How do you vet and security check all the OS libraries you depend on? I think people like to complain about Cargo, NPM, etc. because they make the complexity of software very visible, when the real issue is just that software is complex.
7 replies 9 retweets 38 likes -
Replying to @pcwalton @mitsuhiko
I think this topic keeps getting derailed to software engineering stuff when it's really about authentication & authorization mechanisms, trust assumptions, porous dev communities. A false (but felt) small-trusted-community belief that "nobody is corrupting the stream" presently.
1 reply 2 retweets 15 likes -
Like of course mutable vs. immutable packaging is an issue, but it's minor. People are going to auto-accept minor-version updates to a dep anyway. The issue is people worry about growth in the set of providers of those updates, inability to know "who all the authors are".
2 replies 0 retweets 12 likes -
Replying to @graydon_pub @mitsuhiko
Do you know who all the authors are of the Windows kernel? I think people love to blame Cargo because they see a lot of “Compiling” lines every time they build and it’s scary. But they don’t realize that there are far more other, less visible, actors.
2 replies 1 retweet 4 likes -
Replying to @pcwalton @graydon_pub
I only need to trust one entity for Windows: Microsoft.
1 reply 0 retweets 1 like
That reasoning is giving you a false sense of security.
-
-
It's a reductionist viewpoint, but not ridiculously so. There is a large entity very invested in not allowing malicious code.
1 reply 0 retweets 2 likes -
Replying to @Brittain_Ben @pcwalton and
Malicious code isn't the only security issue. Judging by news neither it's the biggest one.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.