top | item 45167975

(no title)

1GZ0 | 5 months ago

The Author isn't arguing for not using third party dependencies. He's arguing for developers to be more conscious of the dependencies they use, by manually vetting and handling them. That screams "I've been down the package manager route and paid the price". Not inexperience.

discuss

SideburnsOfDoom|5 months ago

> He's arguing for developers to be more conscious of the dependencies they use

"be careful all the time" doesn't scale. Half of all developers have below-average diligence, and that's a low bar. No-one is always vigilant, don't think that you're immune to human error.

No, you need tooling, automation to assist. It needs to be supported at the package manager side. Managing a site where many files are uploaded, and then downloaded many times is not a trivial undertaking. It comes with oversight responsibilities. If it's video you have to check for CSAM. If it's executable code, then you have to check for malware.

Package managers are not evil, but they are a tempting target and need to be secured. This can't just be an individual consumer responsibility.

I can't speak for other ecosystems, but some NuGet measures are here:

https://devblogs.microsoft.com/dotnet/building-a-safer-futur...

https://learn.microsoft.com/en-us/nuget/concepts/security-be...

I believe that there have been (a few) successful compromises of packages in NuGet, and that these have been mitigated. I don't know how intense the arms race is now.

pjc50|5 months ago

> "be careful all the time" doesn't scale

Yes, this is the C attitude, where you provide no safety rails or poka-yokes or, indeed, package managers, and therefore you get a lot of fragile reimplementations of package managers (autoconf, anyone?). But you get to keep the satisfaction of blaming the users.

nuget is pretty good. It helps that packages tend to be substantial things, not left-pad.

cayleyh|5 months ago

"Half of all developers have below-average diligence" - a lot of this is also not developer choice, but environmental. So much software is developed and maintained in very constrained economic environments, often by solo devs who also have other responsibilities. The choice here often is trading some "diligence" for "meeting business requirements in the time / budget constraints" imposed by your employer.

ozim|5 months ago

That's not package manager problem that's registry problem. NuGet is not having as many problems as NPM but also NPM is much more popular.

NPM is also quite a wild west when it comes to publishing packages, any kid can make an account and publish 'left-pad' kind of crap.

We already have quite safe and working setup with APT and software repositories for Debian, Ubuntu etc. While it is not so easy to publish your software to Debian, you get dedicated maintainer and all kinds of requirements you have to fulfill.

But this way all the issues with trust are if not mitigated, they are minimized and for example XZ Utils hack didn't make it to production systems and it took 3 years to prepare and pull it off.

pipes|5 months ago

But titled the post "package managers are evil"

Defletter|5 months ago

> The term “evil” is being used partially hyperbolic to make a point.

Kind of bonkers this even needs to be said, and even then it's missed/ignored.

ozim|5 months ago

I disagree with this take. There should be just more governance on the registry side of things.

For NuGet or Maven I think dependency hell is not something you run into and I don’t have package manager manager for those languages.

There should be enough trust just like I can do sudo apt install.

His take screams „I want to push my niche approach and promote my language from my Ivory Tower of language creator”. He still might not have any relevant experience building businesses line software just like O don’t have experience with building compilers or languages.