undefined | Better HN

0 pointslotyrin11y ago0 comments

Hard to disable? Most of the dependency tracking tools I'm aware of, spanning from system level to application level, require you to intervene by default, even in the case of security releases and/or even have nice version pinning features.

As the maintainer of an internet facing application, it's part of your ongoing responsibility to, for security reasons, continuously integrate upon your dependencies.

Nothing's fire and forget, it's not sensible not to stand on the shoulders of all these giants around us, but when we do we have responsibility to integrate their security fixes and not break our apps.

Not sure where you draw your line of what"modern" software is when not even system packages and package managment are safe when we have Heartbleeds and ShellShocks, Kernel Vulns et al.

Unless you just mean the bros pumping out new NPM modules/Rubygems/etc, half-assing SemVer, disregarding compatibility as a goal, and only releasing fixes (security-related even) for the latest major version that came out several months ago, or abandoning them. Yeah, that's some serious BS and I hope things mature.

0 comments

ploxiln11y ago

Just today I learned that a version of requests from August broke compatibility with a version of pip from February, which is packaged in ubuntu 14.04. (I was installing dependencies with apt and pip as root in a docker image.) (http://stackoverflow.com/questions/27341064/how-do-i-fix-imp...)

Meanwhile, openssl and bash, while getting security updates very recently, are in their very latest versions still compatible with programs from probably over 8 years ago.

ayrx11y ago

"Meanwhile, openssl and bash, while getting security updates very recently, are in their very latest versions still compatible with programs from probably over 8 years ago."

You have obviously never worked with OpenSSL.

Also, the problems with `pip` is entirely due to Ubuntu not updating their dependencies properly. Upstream `pip` vendors their dependencies so that this precise situation does not occur.

ploxiln11y ago

That does make sense. Since pip is managed this way, Ubuntu should probably classify pip as "not system software, actually flaky web-app-dev software" and not package it.

bigtunacan11y ago

> half-assing SemVer

This is an ongoing and IMO major problem. Even security patch releases are breaking backwards compatibility and causing constant rework.

If the platforms aren't going to honor the contract of semantic versioning then why even bother to use it?

username22311y ago

> half-assing SemVer, disregarding compatibility as a goal...

Like Chrome and Firefox, which toss out something-or-other every few months, call it a "major version," and force-update users by default? Or Windows and Mac OS, which by default offer some kind of "udpate now or remind me in 30 minutes" dialog for both backward-compatible and breaking changes? It's all just complete disdain for users.

lotyrinOP11y ago

Oh, certainly. I was thinking we were speaking developer experience within the realm of building/hosting network services, not so much end-user experience for client software.

That space is still a special hell for lots of reasons. Auto updaters that steal your features away being quite inexcusable but yet also not chief among them for most users.

It seems it still takes a software engineer to work the average client OS and not get it infected with crap. Maybe the average child can operate a shared walled-garden device without exposing their family's sensitive documents to untold numbers of developers of third party software on accident (or on purpose, yay Minecraft Mods!), but that's certainly not true of general computing devices.

Lots of paid (or ad-bloated) software that's lower quality than free alternatives but with cash to spend on a marketing budget, and that's not a high bar given that generally FOSS for end-users performing day-to-day tasks on client devices is still really sad.

xorcist11y ago

I've had luck with a stock Ubuntu install for the parents on both sides of the family. I set it up some eight years ago, installed printers and such, set it to auto update, and help them run the LTS uprgrade every other christmas. YMMV of course, and neither run minecraft mods or install crap from the Internet as they are basic web/office/audacity(!) users.

j / k navigate · click thread line to collapse

0 pointslotyrin11y ago0 comments

As the maintainer of an internet facing application, it's part of your ongoing responsibility to, for security reasons, continuously integrate upon your dependencies.

Not sure where you draw your line of what"modern" software is when not even system packages and package managment are safe when we have Heartbleeds and ShellShocks, Kernel Vulns et al.

0 comments

ploxiln11y ago

Meanwhile, openssl and bash, while getting security updates very recently, are in their very latest versions still compatible with programs from probably over 8 years ago.

ayrx11y ago

"Meanwhile, openssl and bash, while getting security updates very recently, are in their very latest versions still compatible with programs from probably over 8 years ago."

You have obviously never worked with OpenSSL.

Also, the problems with `pip` is entirely due to Ubuntu not updating their dependencies properly. Upstream `pip` vendors their dependencies so that this precise situation does not occur.

ploxiln11y ago

That does make sense. Since pip is managed this way, Ubuntu should probably classify pip as "not system software, actually flaky web-app-dev software" and not package it.

bigtunacan11y ago

> half-assing SemVer

This is an ongoing and IMO major problem. Even security patch releases are breaking backwards compatibility and causing constant rework.

If the platforms aren't going to honor the contract of semantic versioning then why even bother to use it?

username22311y ago

> half-assing SemVer, disregarding compatibility as a goal...

lotyrinOP11y ago

Oh, certainly. I was thinking we were speaking developer experience within the realm of building/hosting network services, not so much end-user experience for client software.

That space is still a special hell for lots of reasons. Auto updaters that steal your features away being quite inexcusable but yet also not chief among them for most users.

xorcist11y ago

j / k navigate · click thread line to collapse