[fny]

I've said this before elsewhere and was downvoted to hell. We're about to enter the golden age of bitrot. Software, due to its immense chain of dependencies, requires constant maintenance. There is no guarantee *any software* --proprietary or FOSS--will survive unless some human gives a shit.

So penpot is a great alternative to Figma for as long as you're damn sure someone will be willing to keep it alive.

Everyone has become so used to pulling or downloading whatever random software and have it work and creating forks like wildfire (just look at how many ubuntu flavors there are) without considering what will happen if the devs just don't have the time anymore or don't care. And if something massive upstream changes like CPU architecture (hello M1) or some browser change or some migration to Oauth5, everything gets borked in one shot.

Also, what's going to happen when a package creator dies? The first generation of FOSS devs are still alive and well. Will the second generation decide to maintain their work or is it easier to rewrite things?

Personally this is why I started only pushing packages that have extremely small surface areas (a single function call) that I know I'm willing to maintain indefinitely.

This is also why I became so married to plain text.

[alexvoda]

The difference is that for FLOSS it is sufficient for anyone to care enough (time and money) but for proprietary software it is NECESSARY for the copyright holder to care and to be alligned or at least not in direct conflict with the users.

[zegl]

Oh, tell me about it! I’ve spent this week trying to reproduce the results of a paper from 2019.

Out of the box, the referenced sources doesn’t even compile or run. I’ve been fighting random Python/Java/Scala dependencies, using whatever version was the “latest” at time of publishing usually works, unless of course, it doesn’t support M1…

[tlavoie]

I'm curious how things like Nix will help with this in the future, especially as the platform matures.

I took a bit of time a little while back to convert a wee app of mine to using Nix flakes to build, specifically because I was getting bitten by API changes in a key dependency. Once I nailed down the configuration to include the version(s) that worked with my original code... it worked. Took a while that first time, but got it done, and now it should be defined in a way that stays robust.

[mrits]

Having a bunch of small packages instead of a few larger ones would be considered increasing surface area in most security software. You could do it safely but I wouldn't be evangelizing this as a sound idea.