undefined | Better HN

0 pointsaustincheney5y ago0 comments

Whether the package managers are poorly designed is completely ancillary. It really is primarily about developer laziness, incompetence, easiness.

Proof: https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

Sudden unplanned loss of availability is a catastrophic security problem, the A in the security CIA[1]. Worse is that the dependency that caused that problem was something that should never have been a dependency in the first place.

Proper dependency management requires a degree of trust and integrity validation which are completely counter to automation. Most developers are eager to accept any resulting consequences because they don't own the consequences and because they are fearful of writing original code.

[1] https://en.wikipedia.org/wiki/Information_security#Key_conce...

0 comments

ritchiea5y ago

You can call it laziness but lots of developers correctly assume they'd be out of their jobs or at best out of favor at their company if they raised a fuss about dependency management rather than use (flawed) industry standard tools and get to work on features.

No one gets fired for using npm, you might get fired for insisting you build your own dependency management system because npm is insecure rather than working on your team's domain problem.

austincheneyOP5y ago

> No one gets fired for using npm

Most developers are eager to accept any resulting consequences because they don't own the consequences and because they are fearful of writing original code.

ritchiea5y ago

Some developers are fearful of writing original code. Others realize it's not going to be appreciated by their colleagues to write their own package manager to solve a problem most of the industry disregards. Imagine arguing for getting the "write our own package manager to replace npm/yarn/pip" ticket into a sprint.

2 more replies

majormajor5y ago

Most devs would, however, end up owning the consequences of fully vetting their dependency tree when their manager gives them a terrible performance review for taking 20 times longer to do everything else than their peers.

This can't change bottom up. Even if you went the professional licensing route you'd need top-down regulation to force companies to only higher vetted and licensed professionals, and to actually do verification of projects to make sure all your best practices were being followed and following up on penalizing developers who weren't.

Diggsey5y ago

How is that proof? You're again pointing to a design flaw in NPM: that authors can easily delete packages without warning.

If you yank a package with cargo, it doesn't break people's builds who already depend on that package, it just makes it harder to add new dependencies on the package.

austincheneyOP5y ago

Blaming NPM for that problem is not a cure. Your users don’t care about the sad tired pleadings of a developer about some distant information system in the cloud. All the users care about is that your software was unavailable. That is a security failure.

Again, developers don’t care because they don’t own the consequences of such monumental failures, which is why they will happily and frequently repeat this deliberate mistake until they are terminated.

j / k navigate · click thread line to collapse

0 pointsaustincheney5y ago0 comments

Whether the package managers are poorly designed is completely ancillary. It really is primarily about developer laziness, incompetence, easiness.

Proof: https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

[1] https://en.wikipedia.org/wiki/Information_security#Key_conce...

0 comments

ritchiea5y ago

No one gets fired for using npm, you might get fired for insisting you build your own dependency management system because npm is insecure rather than working on your team's domain problem.

austincheneyOP5y ago

> No one gets fired for using npm

Most developers are eager to accept any resulting consequences because they don't own the consequences and because they are fearful of writing original code.

ritchiea5y ago

2 more replies

majormajor5y ago

Diggsey5y ago

How is that proof? You're again pointing to a design flaw in NPM: that authors can easily delete packages without warning.

If you yank a package with cargo, it doesn't break people's builds who already depend on that package, it just makes it harder to add new dependencies on the package.

austincheneyOP5y ago

j / k navigate · click thread line to collapse