When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
I'm absolutely not suggesting that. I'm suggesting that the fact that almost no meaningful AAA system exists for distributed software development teams is an interesting and worthwhile problem to focus attention on.
-
I mean, we have like N=47,362 incompatible chat protocols and easily exp(N) worth of JS frameworks and maybe _one_ serious attempt at thinking about distributed software update security (TUF) which every time I even mention, a dozen people pop up to argue the inadequacies of?
- 10 more replies
New conversation -
-
-
I *am* using open source code. We use a lot in Python. But I much rather pull in disgusting boost in C++ than thousands of one liner js libraries because it’s less risky.
-
Why it is less risky? npm isn't exactly great in warranting that the packages could not be maliciously took over, but having something broken in boost is not that strange given how big it. (and I could dig a list of how many times we had problems with libstdc++ itself)
End of conversation
New conversation -
-
-
There's a tradeoff. I agree with much of https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how-to-program/ …. The parody of Unix philosophy that turned into "module must be one function that does only one thing" played a part in the left-pad debacle. Open source communities IMO do not require excessive deps on micro-pkgs.
-
How do we get to a capability model? Enforcing parameterized modules seems a bridge too far.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.