A critique of package managers

(www.gingerbill.org)

109 points gingerBill | 1 comments | 08 Sep 25 12:18 UTC | HN request time: 0s | source

Show context

smw ◴[08 Sep 25 13:16 UTC] No.45167873[source]▶

"When using Go for example, you don’t need any third-party libraries to make a web server, Go has it all there and you are done."

Fine, now what if you need to connect to a database, or parse a PDF, or talk to a grpc backend. What a hilariously short-sighted example.

To me, this whole article just screams inexperience.

replies(5): >>45167966 #>>45167975 #>>45168076 #>>45168151 #>>45174508 #

1GZ0 ◴[08 Sep 25 13:25 UTC] No.45167975[source]▶

>>45167873 #

The Author isn't arguing for not using third party dependencies. He's arguing for developers to be more conscious of the dependencies they use, by manually vetting and handling them. That screams "I've been down the package manager route and paid the price". Not inexperience.

replies(3): >>45168004 #>>45168082 #>>45189859 #

SideburnsOfDoom ◴[08 Sep 25 13:35 UTC] No.45168082[source]▶

>>45167975 #

> He's arguing for developers to be more conscious of the dependencies they use

"be careful all the time" doesn't scale. Half of all developers have below-average diligence, and that's a low bar. No-one is always vigilant, don't think that you're immune to human error.

No, you need tooling, automation to assist. It needs to be supported at the package manager side. Managing a site where many files are uploaded, and then downloaded many times is not a trivial undertaking. It comes with oversight responsibilities. If it's video you have to check for CSAM. If it's executable code, then you have to check for malware.

Package managers are not evil, but they are a tempting target and need to be secured. This can't just be an individual consumer responsibility.

I can't speak for other ecosystems, but some NuGet measures are here:

https://devblogs.microsoft.com/dotnet/building-a-safer-futur...

https://learn.microsoft.com/en-us/nuget/concepts/security-be...

I believe that there have been (a few) successful compromises of packages in NuGet, and that these have been mitigated. I don't know how intense the arms race is now.

replies(3): >>45168222 #>>45169747 #>>45180320 #

cayleyh ◴[08 Sep 25 15:45 UTC] No.45169747[source]▶

>>45168082 #

"Half of all developers have below-average diligence" - a lot of this is also not developer choice, but environmental. So much software is developed and maintained in very constrained economic environments, often by solo devs who also have other responsibilities. The choice here often is trading some "diligence" for "meeting business requirements in the time / budget constraints" imposed by your employer.

replies(1): >>45169783 #

1. SideburnsOfDoom ◴[08 Sep 25 15:48 UTC] No.45169783[source]▶

>>45169747 #

Absolutely true, but still indicates the need for tooling, for automation, and for oversight at the the package store.

"developers, be more conscious" isn't going to fix all the issues. In general, there are not individual effort fixes to systemic issues.

↑