How do you vet and security check all the OS libraries you depend on? I think people like to complain about Cargo, NPM, etc. because they make the complexity of software very visible, when the real issue is just that software is complex.
-
-
there is an important third category of options, which is to reproduce the desired functionality of a library. good text handling is important to users, so it is equally important that more programmers practice the implementation of good text-handling libraries (from scratch).
-
With all due respect, this is implying that English speakers can write, say, Arabic text handling just as well as Arabic speakers can. Not only is this false, this sentiment has ugly cultural implications.
- 6 more replies
New conversation -
-
-
I'm certainly not suggesting we abandon the notion of a software dependency. I doubt anyone who writes code is seriously arguing that. I do think there's a point in the discussion to be made about whether each such dep edge has -- or lacks -- a meaningful auth & audit system.
-
(From what I can tell the issue mostly arises on deps that the authors consider trivial, so don't apply much scrutiny to the ownership & maintenance of. Which is fair! One shouldn't be expected to treat all one's writing as critical infrastructure. But then: maybe mark as such?)
- 2 more replies
New conversation -
-
-
But all libraries using the same "text handling library" instead of their own could reduces dependencies AND is useful in this context. If I get 10 uncommon dependencies (that all contain similar logic) transitively this is bad compared to ONE common dependency?
-
In this case you don't rewrite to avoid your dependency but to avoid additional dependencies for your users and I don't see any disadvantage of that. (We do that with all code in one organisation all the time.)
End of conversation
New conversation -
-
-
And i rather pull in one ICU than dozens of separate unicode crates.
-
I’m not arguing against dependencies or using open source code. But I want larger dependencies from fewer parties so there is a realistic chance to ver them.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.