Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Instead, the problem is one of stability. In a "foundation that doesn't move and cause you to fall over" sense of the word. Consider if people made a house where every room had a different substructure under it. That, largely, seems to be the general approach we use to building software. The idea being that you can namespace a room away from other rooms and not have any care on what happens there.

I'm not sure what the problem is here.

Are you after pinning dependencies to be sure they didn't change? Generally I want updating dependencies to fix bugs in them.

Are you after trusting them through code review or tests? I don't think there's shortcuts for this. You shouldn't trust a library, changing or not, because old bugs and new vulnerabilities make erring on both sides risky. On reviewing other's code, I think Rust helps a bit by being explicit and fencing unsafe code, but memory safety is not enough when a logic bug can ruin your business. You can't avoid testing if mistakes or crashes matter.



Stability in that you don't want to take on a dependency that will throw a migration at you within the next decade. Or longer. You also don't want one that will introduce enabled sweeping features in the common path.

Examples: Google's Guava for the migration department. Apache Commons would be a good example of how not to make life painful for users there.

For sweeping features, Log4j introduced some pretty terrible security concerns.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: