←back to thread

A critique of package managers

(www.gingerbill.org)
109 points gingerBill | 1 comments | 08 Sep 25 12:18 UTC | HN request time: 0.244s | source
Show context
spacebanana7 ◴[08 Sep 25 13:06 UTC] No.45167772[source]
> "This is the automation of dependency hell. The problem is that not everything needs to be automated, especially hell. Dependency hell is a real thing which anyone who has worked on a large project has experienced. Projects having thousands, if not tens of thousands, of dependencies where you don’t know if they work properly, where are the bugs, you don’t how anything is being handled—it’s awful.

This the wrong thing to automate. You can do this manually, however it doesn’t stop you getting into hell, rather just slow you down, as you can put yourself into hell (in fact everyone puts themselves into hell voluntarily). The point is it makes you think how you get there, so if you have to download manually, you will start thinking “maybe I don’t want this” or “maybe I can do this instead”. And when you need to update packages, being manual forces you to be very careful."

I sympathise with this, but I have to respond that we have to live within existing ecosystems. Getting rid of npm and doing things manually won't make building SPAs have fewer dependencies, build would be incredibly slow and painful.

replies(5): >>45167807 #>>45167944 #>>45167982 #>>45168021 #>>45169142 #
Sesse__ ◴[08 Sep 25 13:26 UTC] No.45167982[source]
> Getting rid of npm and doing things manually won't make building SPAs have fewer dependencies, build would be incredibly slow and painful.

You don't think making adding dependencies incredibly slow and painful would make people have fewer of them?

replies(3): >>45168028 #>>45168030 #>>45168094 #
1. pmontra ◴[08 Sep 25 13:36 UTC] No.45168094[source]
Yes, because of human limits of time and of skills.

I remember installing software in the early 90s: download the source code, read the README, find and download the dependencies, read their READMEs, repeat a few times. Sometimes one dependency could not compile because of any incompatibility or bug. Some could be fixed, some couldn't. Often everything ended up with a successful compilation and install and in one day of work I could have what I'm getting in a few minutes now.

Actually those were small programs by today standards. My take is that we would achieve less if we have to use less dependencies.

By the way, the last time I compiled something from source was yesterday. It was openvpn3 on Debian 13, which is still unsupported. TLDR, it works but the apt-get are a little different from the ones in BUILD.md