Why Bloat Is Still Software’s Biggest Vulnerability

Tue Feb 13 01:30:49 UTC 2024

On Tue, Feb 13, 2024 at 01:56:08PM +1300, Richard (Rikki) Andrew Cattermole via Digitalmars-d wrote:
> On 13/02/2024 6:30 AM, H. S. Teoh wrote:
[...]
> > Which is utterly crazy, if you think about it. Unless you pin every
> > dependency to exact versions (who even does that?!), every time you
> > build your code you're potentially getting a (subtly) different set
> > of dependencies. That means the program you've been trying to debug
> > 5 mins ago may not even be the same program you're debugging now.
> > Now of course it's possible to turn off this behaviour while
> > debugging, but still, the fact that that's the default behaviour is
> > just nuts.
> 
> What? Dub doesn't upgrade dependencies for you without you asking for
> it.
> 
> It either has to be missing, or you ran ``dub upgrade``.
> 
> To prevent that being an issue long term, you can vendor your cache
> into your repository. ``dub build --cache=local``. Unfortunately you
> have to provide that on cli every time.
> 
> There are solutions here for those who care about it. If you don't
> care about it, of course it isn't a solved problem.

And that's the point, *by default* you get the bad behaviour, you have
to work to make it do the right thing. You have the put in the effort to
learn to use `--cache=local` (and you have to know enough to even be
aware that you might need to use it in the first place -- most people
wouldn't even care 'cos they don't even know this is an issue).  I'm not
singling out dub here, I'm talking about the entire philosophy behind
dub and similar tools. The defaults are very much designed such that you
would just pull in hairball dependencies automatically without needing
to give it so much as a thought.  There is little, if any at all,
incentive to make do with as little as possible to get your job done. On
the contrary, the whole idea is very much to "buy the package deal", so
to speak, download (and build and link) the entire bundle of stuff which
gives you everything, bells and whistles and all, even if you actually
only need to use less than 10% of it.

A million LoC OS just to open the garage door, as the linked article
puts it.

T

-- 
Long, long ago, the ancient Chinese invented a device that lets them see through walls. It was called the "window".