,
9 tweets,
3 min read
Read on Twitter
We've been at an inflection point for software development. The bazaar of 1999 is not the bazaar of 2019.
"Good programmers know what to write. Great ones know what to rewrite (and reuse)"
But that was when there were a smaller set of reusable things to choose from /1
"Good programmers know what to write. Great ones know what to rewrite (and reuse)"
But that was when there were a smaller set of reusable things to choose from /1
We live in a different world now. We reuse things based on the number of github stars or number of downloads.
Our velocity is faster than it ever has been. "Given enough eyeballs, all bugs are shallow" model doesnt work for dependency mamagement attacks. /2
Our velocity is faster than it ever has been. "Given enough eyeballs, all bugs are shallow" model doesnt work for dependency mamagement attacks. /2
We've gotten to a point where we we bundle or npm install -g or go get -u indiscriminately without really knowing what that might do. We teach new programmers to do this to feel that quick win without the toil of making a thing from scratch. We reward a faster ship at work /3
As an industry, making a piece of software is easier than ever, and also carries infinitely more risk. /4
@_rsc outlines this problem in detail. research.swtch.com/deps. The go programming language has taken a different approach to versioning that I think is beneficial to the industry as a whole. /5
Lockfiles are unpredictable. Dev workflows are still in the wild west of maturity wrt dep management. Concepts developed for Go can become an industry standard: semantic import versioning, which follows the import compatibility rule. More here: research.swtch.com/vgo-import /6
But it also depends on everyone reworking their dev workflow. Semver is a HUMAN contract, not a machine contract (h/t @MarwanSulaiman). Solving this problem means getting a shared understanding of these things, especially about tagging your releases. /7
Every lang & ecosystem has taken a diff approach to solving dep mgmt.
Github has entered the foray. but I'd love us all to develop a shared vocabulary and approach. This might be heresy to some, but as a dev, I'm tired of trying to keep these different models in my head. /8
Github has entered the foray. but I'd love us all to develop a shared vocabulary and approach. This might be heresy to some, but as a dev, I'm tired of trying to keep these different models in my head. /8
Anyway, these kinds of dependecy management related attacks will only get worse before they get better, and so it's time we come together and try to solve it in a unified way. /end
