undefined | Better HN

0 pointsJohnFen6y ago0 comments

I'm not really worried about bugs, because the code I have works well, and I doubt I'm going to do any serious new Python 2 development.

0 comments

3 comments · 1 top-level

marcus_holmes6y ago· 2 in thread

I meant the bugs in your dependencies that you'll have to backport fixes to. But hey, if you're writing bug-free code that'll be easy ;)

JohnFenOP6y ago

I understood what you meant. What I'm saying is that my existing code works fine, so whatever bugs are in the dependencies are ones that don't affect me. Should I make a code change that surfaces one, then I have the means to deal with it -- but that is almost certainly going to be a rare event, as my Python projects are stable and aren't going to see much change.

I wasn't commenting on how buggy my own code is. Which version of a language I'm using doesn't really affect that variable.

marcus_holmes6y ago

I get that. But the interesting thing about dependencies is how they surface vulnerabilities that can hurt code that works perfectly well. Your current code probably doesn't have many bugs, but includes an unknown number of vulnerabilities from your dependencies. The bad people probably won't bother examining your code for vulnerabilities, but they will be informed of vulnerabilities in popular libs, and then looking for projects that use those versions of those libs is a lot easier than scanning all those projects individually. So you end up having to backport a bunch of fixes to other people's code because that code was popular and came under intense scrutiny.

But I guess you know this, and are OK with the compromises involved. I'll stop here ;)

1 more reply

j / k navigate · click thread line to collapse