[alloy]

> I don't understand your "build settings" comment. Why would there be any build settings originated from a library?

Your project might need to link against frameworks/libraries that the dependency requires. Your project might need certain search path. There are more, but I hope you understand what I mean now.

> As for "making too many assumptions", it sure would be nice if you could, say, explain yourself > […] > Your FAQ link doesn't explain anything

You hear “transitive dependencies” and you assume somebody is “doing something terribly wrong”. I’m saying that that’s not necessarily the case and in the FAQ item that I linked to I state that I’m against the scenario that you assumed.

The blog article that is linked to from that FAQ item goes into more detail about why it’s good to keep it to a bare minimum. (More on that below.)

> and that my wrongness upsets people

I wasn’t referring to you specifically, but rather to people on both sides (for/against) discussing this topic in general, which was the premise for me needing to ‘port’ that blog article. It was a side-node and I see how it could be taken the wrong way.

> To explain my side: third-party code tends to be of low quality and interact with other third-party code in interesting ways. When things go wrong, and they always do even with the best programmers and the best code, the more bad third-party code you have, the more you have to dig through to find and fix the fault. This objection largely goes away if you only use dependencies of extremely high quality

I already knew what you meant, this is not the first time I have this discussion :) But I should have been more explicit:

When we talk about dependencies that were created by a third-party, so _not_ dependencies per se, you are completely right and we are in full agreement. To quote from the blog post:

    “Minimal dependency is not just about the number of libraries you use,
    but also about the total amount of code you pull into your project.
    Less code means less bugs.”

> but to be brutally honest, there aren't enough such projects out there to be able to make a mess from them

I doubt you checked all of them, but seeing as everyone makes mistakes in their own code, I think it’s fair to assume that there is a lot of code that could be improved.

Where we seem to differ, but tell me if I’m wrong, is that you in principle choose to not deal with any of them, probably because it wastes time (?). Whereas I prefer to choose a small one that does (almost) exactly what I need and (almost) is where I want it to be code-wise and then contribute to that project, instead of starting over.

To facilitate the mentality that I and many others have, it helps to have a tool and ecosystem that makes libs discoverable and ‘simple’ to build upon/together.

[mikeash]

I don't refuse to use third-party libraries out of hand. If something is good, I'll use it. However, my assessment of the cost/benefit tradeoff differs from others. Take, for example, AFNetworking. It seems to be the gold standard for any iOS app that makes web calls, to the point where it's practically a default first step when making a new project for many programmers. Me, I don't understand the appeal. The cost is enormous due to adding a huge quantity of code (and therefore bugs) to your app, and the benefit over using what Apple provides is tiny.

If the cost/benefit tradeoff appears worthwhile, taking into account the large cost from adding any third-party code, I'm happy to make it. It just doesn't happen very often.

To me, CocoaPods doesn't move the needle on the cost/benefit tradeoff, because the cost of what CocoaPods handles is extremely small compared to the total. Thus why I don't really understand the point of it. It takes something that's infrequent and already easy, and makes it a little easier.

[al45tair]

Agreed. CocoaPods might be useful if there were a lot of high quality library code out there that we could use, but right now, like Mike, I just don't see it.

The main use-case I can see for something like CocoaPods actually has to do with commercial library code---i.e. code that you purchase and for which you get proper support.

I'll also add this: CocoaPods, as it stands today, also creates a risk, in that it's possible that an updated version of some library you're depending on might have a different license---maybe one that's incompatible with the license for the software you're working on. As far as I can tell, CocoaPods has no mechanism to deal automatically with this issue, which makes its use in commercial projects dangerous IMO.

[alloy]

CocoaPods has been generating aggregated lists of licenses of libraries that you use in your app since a very long time, I don’t know of any other system that people use to pull-in dependencies that does this.

We also only accept libraries that specify a license. This has lead to many more licensing issues being clear than before people used CocoaPods.

We are, however, definitely not going to build in functionality that would give you the green or red light, because it’s impossible to do this right in an automated fashion. In the end, any licensing issue is your responsibility regardless, of how you pull the code in.

[escoz]

>> incompatible license...

You can always just continue to use the same version of the library you always used.