, 9 tweets, 3 min read Read on Twitter
We've been at an inflection point for software development. The bazaar of 1999 is not the bazaar of 2019.

"Good programmers know what to write. Great ones know what to rewrite (and reuse)"
But that was when there were a smaller set of reusable things to choose from /1
We live in a different world now. We reuse things based on the number of github stars or number of downloads.
Our velocity is faster than it ever has been. "Given enough eyeballs, all bugs are shallow" model doesnt work for dependency mamagement attacks. /2
We've gotten to a point where we we bundle or npm install -g or go get -u indiscriminately without really knowing what that might do. We teach new programmers to do this to feel that quick win without the toil of making a thing from scratch. We reward a faster ship at work /3
As an industry, making a piece of software is easier than ever, and also carries infinitely more risk. /4
@_rsc outlines this problem in detail. research.swtch.com/deps. The go programming language has taken a different approach to versioning that I think is beneficial to the industry as a whole. /5
Lockfiles are unpredictable. Dev workflows are still in the wild west of maturity wrt dep management. Concepts developed for Go can become an industry standard: semantic import versioning, which follows the import compatibility rule. More here: research.swtch.com/vgo-import /6
But it also depends on everyone reworking their dev workflow. Semver is a HUMAN contract, not a machine contract (h/t @MarwanSulaiman). Solving this problem means getting a shared understanding of these things, especially about tagging your releases. /7
Every lang & ecosystem has taken a diff approach to solving dep mgmt.
Github has entered the foray. but I'd love us all to develop a shared vocabulary and approach. This might be heresy to some, but as a dev, I'm tired of trying to keep these different models in my head. /8
Anyway, these kinds of dependecy management related attacks will only get worse before they get better, and so it's time we come together and try to solve it in a unified way. /end
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Carmen Hernández Andoh
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!