[conspire] People failing to learn about package gatekeeping, part 1

Ivan Sergio Borgonovo mail at webthatworks.it
Sun Apr 17 15:07:59 PDT 2022 

On 4/17/22 21:21, Rick Moen wrote:
> Deliberately circumventing your distro's package regime is reckless.
> People keep learning that the hard way (or, worse, never figuring it
> out.
As a developer I just feel the pain.

No matter how skillful you are and how hard you try to avoid all the 
pitfalls dependency management is hard.
It is harder when the environment moves.
It becomes even harder if you're planning to open source your software 
because you've to make it accessible.

Something that helps you manage dependencies can really help.

But then you've this blob of dependencies that can't get shared by 
another program and at the end you've several independent environments 
and the next step is distributing your software in an actual virtual 
environment.

 From the point of view of an user you complain when the software is 
hard to install, you complain if it is not up to date, and you complain 
because it takes in libraries.

As a developer I'm a user myself.

 From the point of view of a developer you just make a compromise 
according to the resources you have... and most of the times making a 
software easily accessible with a fast peace of development is preferred 
at the cost of an extra safety net.

Of course there are communities of developers that are more susceptible 
to incorporating rubbish in their projects since they tend to lack a 
culture of software ecology incorporating everything that seems to fit 
at that time in their project without a long term view and security 
awareness.

You can still avoid many problems picking up libraries that have a large 
and sane developer and user base, but language dependency managers are 
rarely designed with some kind of security workflow in mind.

You just have to relay on the workflow of the libraries' developers.
And while most important distributions have a security aware workflow 
and infrastructure, not all libraries have.

Just the delay distributions add to incorporate new libraries probably 
filter out most of the problems.


-- 
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net

More information about the conspire mailing list