undefined | Better HN

0 pointslbrandy3y ago0 comments

We should be clear... in these large organizations... HEAD is always broken. But it has the advantage of being broken for everyone, tested by everyone, fixed by everyone, and thus fixed for everyone. And this usually makes it far better than the alternatives.

Having 1000 dependencies with versions pinned means you are living alone and will run into fewer issues, but when they do come, they will be absolute nightmares that no one else is dealing with and no one can help with. And one day you'll have to do the game of begging someone else to upgrade their version of a downstream thing to fix the issue, and they won't, so you'll try to get the other group to backport the fix in their thing to the version you can't upgrade off. And they won't. etc. etc.

Full versioning is the worst of all approaches, IMO, for large complex interconnected codebases (especially ones that are many-to-many from libraries to output binaries) but it absolutely is sometimes the only viable one (for example, the entire open-source-ecosystem is a giant(er) version of this problem, and in that space, versioning is the only thing that I can imagine working).

0 comments

galangalalgol3y ago

Supply chain attacks are worsened if everyone lives at the head. Staying far enough behind that some brave (and hopefully small) project discovers the compromise of a repo for some dependency five layers deep before you re-pin to a new version is probably the best mitigation short of some permissions based model like Austral is working on.

pclmulqdq3y ago

C++ doesn't have the same kind of head as you are thinking. The standard gets pretty well-tested before being standardized as the most recent ("head") version. C++'s head gets more testing than most libraries ever get for any version.

pjmlp3y ago

Anyone with proper experience on C++ ecosystem knows this isn't the case.

Not only is ISO full of DR and things that probably shouldn't have been standardized in first place (thankfully some of them were latter removed), there is plethora of compilers to chose from.

1 more reply

galangalalgol3y ago

Yeah everyone seemed to have atarted talking about living at head in general. My concerns about living at head for c++ is primarily compiler and static analysis support. I like my pipeline to build for clang and gcc and run unit tests in both clang tidy modernize, gcov, cppcheck asan etc.

By the time all of that is supported for a language release we are on the next one, and I value that pipelene more than the changes currently being made.

nneonneo3y ago

The flip side is that exposure to software vulnerabilities is lengthened if people stay on older versions. So, you’ll be less vulnerable to intentional bugs in the software, but more vulnerable to unintentional bugs - and the latter are far more likely in practice.

Granted, the former can be quite a bit more severe - but that’s why we should do things like build on dedicated servers with restricted access to the internet etc.

AnthonyMouse3y ago

There are older versions (no new features) and then there are older versions (no security updates). Most security updates don't break compatibility and can be installed without modifying anything that takes that version as a dependency.

This works as long as compatiblity-breaking changes are kept rare so that you can feasibly have someone doing security updates for each of the incompatible versions.

JustLurking20223y ago

There are solutions to this - things like Dependabot go a long way and can integrate pretty seamlessly into your existing Git workflow.

VHRanger3y ago

Supply chain attacks only matter for libraries that can make their own network call, or libraries that directly touch unsanitized web input however?

bawolff3y ago

Supply chain attacks matter anytime you need to trust the code being run. Which is usually always.

Most libraries have network access, but even if they didn't, supply chain attacks could be relavent (but probably less generic)

hamandcheese3y ago

How does one restrict network access for a library?

2 more replies

humanrebar3y ago

> We should be clear... in these large organizations... HEAD is always broken.

I don't know about all of them, but a lot of them have CI set up such that HEAD is never broken for some definition of broken.

Practically speaking it's basically impossible to fuzz test everything, but typically builds and reasonably fast and reliable tests are run before HEAD includes new changes.

Being efficient about supporting this workflow is more or less what monorepo build systems like bazel, buck, and pants were designed for.

mihaaly3y ago

> it has the advantage of being broken for everyone, tested by everyone, fixed by everyone

The correct word here is not advantage but risk.

While making a product you rely on something, some other product/package. Thousand of them if you are unlucky. If you have 1000 packages to collaborate in the development/testing/QA of them you will do nothing else! Also try building a house on a concrete that is still maturing, with tools not ready yet, I dare you! Careful developers rely on reliable things. It is a shame in this industry this is not available. Either released(!) things are not ready yet, or are in demise already, the sweet spot is tiny.

HelloNurse3y ago

It depends on the context: in a React Native project you are almost guaranteed to realize the hard way that you depend on abandonware that won't ever support the latest React Native version or the latest smartphone operating systems, while in a Python project you are almost guaranteed to attempt to use something that is hard to install or compile, or just doesn't work on your slightly divergent platform (e.g. Windows).

j / k navigate · click thread line to collapse

0 pointslbrandy3y ago0 comments

0 comments

galangalalgol3y ago

pclmulqdq3y ago

pjmlp3y ago

Anyone with proper experience on C++ ecosystem knows this isn't the case.

Not only is ISO full of DR and things that probably shouldn't have been standardized in first place (thankfully some of them were latter removed), there is plethora of compilers to chose from.

1 more reply

galangalalgol3y ago

By the time all of that is supported for a language release we are on the next one, and I value that pipelene more than the changes currently being made.

nneonneo3y ago

Granted, the former can be quite a bit more severe - but that’s why we should do things like build on dedicated servers with restricted access to the internet etc.

AnthonyMouse3y ago

This works as long as compatiblity-breaking changes are kept rare so that you can feasibly have someone doing security updates for each of the incompatible versions.

JustLurking20223y ago

There are solutions to this - things like Dependabot go a long way and can integrate pretty seamlessly into your existing Git workflow.

VHRanger3y ago

Supply chain attacks only matter for libraries that can make their own network call, or libraries that directly touch unsanitized web input however?

bawolff3y ago

Supply chain attacks matter anytime you need to trust the code being run. Which is usually always.

Most libraries have network access, but even if they didn't, supply chain attacks could be relavent (but probably less generic)

hamandcheese3y ago

How does one restrict network access for a library?

2 more replies

humanrebar3y ago

> We should be clear... in these large organizations... HEAD is always broken.

I don't know about all of them, but a lot of them have CI set up such that HEAD is never broken for some definition of broken.

Practically speaking it's basically impossible to fuzz test everything, but typically builds and reasonably fast and reliable tests are run before HEAD includes new changes.

Being efficient about supporting this workflow is more or less what monorepo build systems like bazel, buck, and pants were designed for.

mihaaly3y ago

> it has the advantage of being broken for everyone, tested by everyone, fixed by everyone

The correct word here is not advantage but risk.

HelloNurse3y ago

j / k navigate · click thread line to collapse