←back to thread

A critique of package managers

(www.gingerbill.org)
109 points gingerBill | 2 comments | 08 Sep 25 12:18 UTC | HN request time: 0.408s | source
Show context
smw ◴[08 Sep 25 13:16 UTC] No.45167873[source]
"When using Go for example, you don’t need any third-party libraries to make a web server, Go has it all there and you are done."

Fine, now what if you need to connect to a database, or parse a PDF, or talk to a grpc backend. What a hilariously short-sighted example.

To me, this whole article just screams inexperience.

replies(5): >>45167966 #>>45167975 #>>45168076 #>>45168151 #>>45174508 #
1GZ0 ◴[08 Sep 25 13:25 UTC] No.45167975[source]
The Author isn't arguing for not using third party dependencies. He's arguing for developers to be more conscious of the dependencies they use, by manually vetting and handling them. That screams "I've been down the package manager route and paid the price". Not inexperience.
replies(3): >>45168004 #>>45168082 #>>45189859 #
pipes ◴[08 Sep 25 13:28 UTC] No.45168004[source]
But titled the post "package managers are evil"
replies(1): >>45168062 #
Defletter ◴[08 Sep 25 13:33 UTC] No.45168062[source]
> The term “evil” is being used partially hyperbolic to make a point.

Kind of bonkers this even needs to be said, and even then it's missed/ignored.

replies(2): >>45168204 #>>45173776 #
rgoulter ◴[08 Sep 25 13:45 UTC] No.45168204[source]
The title is provocative and attention grabbing. -- It's completely fair game to react to the provocation rather than the substance of the article itself. (Or, rather, it's silly to use attention grabbing rhetoric, then complain that people paid attention to the rhetoric).

I'd prefer instead a more balanced title like "Remember to Consider the Costs When Using Package Managers", or whatever.

replies(2): >>45174241 #>>45179105 #
1GZ0 ◴[09 Sep 25 08:23 UTC] No.45179105[source]
> It's completely fair game to react to the provocation rather than the substance of the article itself.

Yeah, but its down right stupid to do so.

The title isn't even misleading or part of a Motte-and-bailey argument.

People just hear "Package Managers are Evil" and assume that the author means you shouldn't use third party dependencies. Which is NOT what's being argued.

But I guess you'd know that, if you read passed the title.

replies(2): >>45179417 #>>45179930 #
rgoulter ◴[09 Sep 25 10:08 UTC] No.45179930[source]
In the article, the author does say "I am not advocating to write things from scratch", while also describing third party dependencies as liabilities (e.g. security vulnerabilities), that people are too trusting of third party dependencies, that people overestimate the quality of third party dependencies.

I think you're splitting hairs if you're saying that these points from the article argue against package managers but don't argue against using third party dependencies.

I similarly think you're splitting hairs if to consider "package managers are useful?" and "third party dependencies are useful?" as distinct points.

replies(1): >>45180940 #
1. 1GZ0 ◴[09 Sep 25 12:19 UTC] No.45180940[source]
Liability: "Something for which one is liable; an obligation, responsibility, or debt."

Third party dependencies absolutely are liabilities. You are liable to vet them, inspect their licenses and keep them updated while ensuring that they continue working with your existing code.

This is not something package managers help you do. Package managers like NPM make it trivial to skip these steps entirely.

What is being argued for, is a more thoughtful approach to handling third party dependencies. Or at the very least, the need for people to realise that there are costs associated with bringing third party dependencies into your codebase.

Its not splitting hairs at all. Its more of an presumption on the part of a large number of readers, that the 2 points argued conflate to "Package manager suck, because third party dependencies suck and you should write everything from scratch instead".

replies(1): >>45192539 #
2. ◴[10 Sep 25 02:43 UTC] No.45192539[source]