[conspire] People failing to learn about package gatekeeping, part 1
Ivan Sergio Borgonovo
mail at webthatworks.it
Sun Apr 17 15:07:59 PDT 2022
On 4/17/22 21:21, Rick Moen wrote:
> Deliberately circumventing your distro's package regime is reckless.
> People keep learning that the hard way (or, worse, never figuring it
> out.
As a developer I just feel the pain.
No matter how skillful you are and how hard you try to avoid all the
pitfalls dependency management is hard.
It is harder when the environment moves.
It becomes even harder if you're planning to open source your software
because you've to make it accessible.
Something that helps you manage dependencies can really help.
But then you've this blob of dependencies that can't get shared by
another program and at the end you've several independent environments
and the next step is distributing your software in an actual virtual
environment.
From the point of view of an user you complain when the software is
hard to install, you complain if it is not up to date, and you complain
because it takes in libraries.
As a developer I'm a user myself.
From the point of view of a developer you just make a compromise
according to the resources you have... and most of the times making a
software easily accessible with a fast peace of development is preferred
at the cost of an extra safety net.
Of course there are communities of developers that are more susceptible
to incorporating rubbish in their projects since they tend to lack a
culture of software ecology incorporating everything that seems to fit
at that time in their project without a long term view and security
awareness.
You can still avoid many problems picking up libraries that have a large
and sane developer and user base, but language dependency managers are
rarely designed with some kind of security workflow in mind.
You just have to relay on the workflow of the libraries' developers.
And while most important distributions have a security aware workflow
and infrastructure, not all libraries have.
Just the delay distributions add to incorporate new libraries probably
filter out most of the problems.
--
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net
More information about the conspire
mailing list