(no title)
dmattia | 1 year ago
- Different folks ran `brew install <foo>` at a different time? They may see different behavior
- I ran `brew install <foo>` after a coworker did? I may not be able to replicate whatever issues they are facing
- Someone new ran `brew install <foo>` on their new laptop? They may have an entirely separate major version of that library with breaking changes.
- Do I know if folks are using vulnerable, old packages? Nope!
- Does production use some database with version X, but homebrew only supports a client for version Y? Eh whatever, just have folks locally use version Y. What could possibly go wrong with using a different version locally vs in production.
I kept our own homebrew tap for a while and pinned versions. That was fine. But then I had to maintain that tap, and there wasn't any easy way I found for checking if the versions we kept in that tap had any vulnerabilities on any registry I could find.
Then I found Github Codespaces / devcontainers, switched everyone to use Linux inside Docker, used linux package managers to install pinned versions of everything we needed (using the same exact packages as we bundle into production), and scan my containers using a container vulnerability scanner nightly.
Instantly, 10+ hours of work per week for me vanished and I can now at least reproduce problems and fix them for everyone when they come up.
ghthor|1 year ago
I’m already using it for my personal work laptop and it is working well. Also nix allows me to configure host/user level tools such as shells or AWS-sso where docker would not. Building modules allows users to customize there configuration without blocking our tooling team from making changes to configs as Nix will just merge it all together.
mynegation|1 year ago