Hacker News new | ask | show | jobs
by ksenzee 3738 days ago
You're talking about the purely technical aspects of package management that keep your build from breaking. My point is that there's a lot more to it than that. Lockfiles do not keep software from requiring maintenance. Introducing a dependency means handing off a chunk of your software project to someone else to maintain. If they do it wrong, you're on the hook for it.

For example, I was a maintainer for an admin UI component of the last version of Drupal core, and we decided to pull in a query string handling library written by Ben Alman. It was a good decision, and it hasn't caused any problems. But it still meant we were trusting him to maintain part of our codebase. It was also an implicit commitment to every user of Drupal that if Ben quit maintaining that library, we would step in and fix any problems that came up. You don't get rid of that commitment with a lockfile.
1 comments
pcwalton 3738 days ago
But if you write it yourself, you're also on the hook for it. So I don't see a meaningful difference here.
link
ksenzee 3738 days ago
Here is an oversimplified model to illustrate my basic point:

A dependency introduces some constant amount of risk (d) that does not vary with the size of the dependency. Every line of code you write yourself also introduces a much smaller constant amount of risk (y).

If you introduce a separate dependency for every line of code in a 1000-line project, your risk is 1000d.

If you can pull in someone else's code for the whole thing and don't need to write any code yourself, your risk is d.

If 200 lines of your code can be replaced with an external library, your risk is d + 800y.

I think the real disagreement here is over the value of d. My experience leads me to put the value of d pretty high relative to y, so to me 1000d is the worst possible case. If someone sees d as equal to y, then they'd see dependencies as no problem whatsoever.

(Obviously in reality the risk of a dependency is not really constant - it's probably more like d + 0.1y or d + 0.01y or whatever, since a 10-line dependency is less risky than a 1000-line dependency. Hopefully my point still stands.)

link