They touch on the fact that computer systems have evolved for so long that nobody really knows most of the code anymore. They just use it and build on top of it.

One particular character has been traveling and in stasis so long that he is probably one of the oldest humans alive. A systems engineer of old. It turns out to be a big advantage to know the workings and vulnerabilities of his time because he can use them in the future when everyone else is building many layers on top of that and have no way of knowing exactly what he's doing.

Vernor had a point, I think.

In the former case, it's a genuine mystery that can be only solved by very smart people and modern science. In the latter, it's the lack of interest - sure, for $$$ a knowledgeable engineer will take the washing machine apart and figure out the exact defect, but no one is going to pay this, they'll just throw the washing machine away and get a new one.

The historical software knowledge is definitely the latter. It is eminently possible to dig into any part of software and eventually get a full understanding of this part. But most of the time, it's way cheaper and more practical to shrug and ignore the problem, or maybe add yet another layer to compensate.

https://web.archive.org/web/20240127140416/https://www.gulp....

That kind of "nobody knows" is about the complexity of many large interconnected systems, and the deep wells of knowledge, theory, and history in each of the various domains.

I argue it's different from your washing machine type because the domains of computing are vast. Sure, you can dive in and figure some things out when necessary, but you can do that with pencil production too.

I was fortunate to get a computer and electrical engineering education that ran the gamut from making basic organic semiconductor structures in the lab and up the pyramid through logic gates, adders, a custom processor on an FPGA, writing a custom RTOS, patching the Linux kernel, and writing a userspace application.

There are no black boxes anywhere on that stack - someone somewhere knows or knew how it worked - but the last time that some systems engineer could claim comprehensive understanding of the stack was probably no later than the early 80s.

Individually, one can build broad competence, comprehension, and a career at some height in the pyramid, and can have limited comprehension of things directly above and below your zone, but the whole pyramid is superhuman.

If you started today, you might not use graphite, or wood. That's ok for pencils. But it might mean we've forgotten a technique they used for making pencils that's also useful for tiny gear shafts. But we don't use it for gear shafts anymore because somebody invented the Swiss lithoscropy process.

There's the graphite core, the wood handle, the yellow paint, the eraser and the little metal ring holding the eraser.

No one person knows how to find, extract and refine the raw materials, then turn them into those components and put it all together.

There is a library called `pyasn1`, the author passed away and there are some challenges, such as intimidatingly long error messages that are not easy to interpret, or counter-intuitive behaviour of some of the functions in its API.

Do you have any tips for approaching this with the few resources that are available?

I hate that short story because of how silly it is. I get the point that it's trying to make, but it's packaged in such an absurdly unrealistic way that it loses all impact.

https://scifi.stackexchange.com/questions/209233/short-story...

For more discussion, see http://lambda-the-ultimate.org/node/4424

  - Howdy! there's a bug!
  - Okie, lookie!
  *dig dig dig, stares at line 47*
  - Oh my, this horsemanure could not have possibly worked, ever! What kind of damaged wetware wrote this?!
  $ git blame
  - Oh.

https://github.blog/2022-09-20-if-you-dont-make-it-beautiful...

I wonder what future humans will make of it, digging through such a massive amount of good, bad, and terrible code. Much of it probably won't run without serious effort.

I think we're already dealing with this. My uncle is in his 60's and maintains old truck shipping software in COBOL. Btw there are job openings in old tech like this, for those that are interested. Happy to provide introductions.

But the basic problem stands, the left-pad issue.

We still deride this choice. Junior engineers without supervision hap-hazardly installing dependencies. But over the course of decades and generations of developers we still "sum to zero", where most software will rely on some number of unknown dependencies.

Say in 2100 an update needs to be issued. You push it through whatever is managing npm dependencies at the time. Meanwhile there is a solar system of dependent devices that need security updates. There could be trillions of dependent devices and any number of of independent intermediary caches that may or may not be recently updated. I can't event imagine what that dependency tree would look like.

Also it's frustrating working in such conditions where you have to dig through framework code to get to where it matters. It feels like your time is wasted.

This isn't far from the current reality, where critical systems rely on nearly-dead skills like COBOL programming.

In a prior job I had, we developed enterprise software aimed at large corporations. We had to support several old mainframes that don't actually exist anymore outside of museums -- but these companies ran emulators of the mainframes solely to continue to use the software they'd been using for decades. Nobody at those companies even has the source for that software, let alone know how it really works. It just works and they can't justify the expense of reworking their entire system just to get rid of it.

They're highly paid not because they're part of a short supply of COLOB devs, but because they have COBOL experience and the battle scars to know how to solve production issues that those new to Cobol might not know about, but which the old timers saw several times already in their careers and know how to fix

If you start learning Cobol now to cash in on the this market, as a Cobol junior you won't be remotely as valuable as those Cobol graybeards with battle scars, which is why nobody's pivoting to Cobol.

Good COBOL programmers are expensive because they’re rare, and the only way to become a good COBOL programmer is to spend a decent fraction of your education and/or career working with it. That doesn’t happen organically anymore for any significant fraction or junior devs.

You can't replicate years or decades of Cobol project experience to "get good at it", out of thin air by doing some side projects at home. No amount of individual self study can prepare you for industry specific cruft and issues you've never encountered. If it were that accessible, a lot of people would do it.

Right, this is what I meant by "expert COBOL programmers".

Heh - my backup retirement plan :-) Hell, COBOL paid really well during Y2K just add 2 characters to the date field :-P

0 - https://en.wikipedia.org/wiki/Great_Sky_River_(novel)

This is among my most favorite books and not just because it’s about a long time soldier software developer like myself.

I get the impression it's no better in rust land. Go try to edit the rust docs. Watch it install ~1000 crates.

The issue is not the language, it's that anyone can post a library (not complaining) and anyone does. People who "just want to get stuff done" choose the library with the most features and then beg for even more since they can't be bothered to write the 3 lines of code it would have been to solve it outside the library. "Can you add render to pdf?"

I don't know how to solve it. My one idea is to start an "Low Dependency" advocacy group with a badge or something and push to get people to want that badge on their libraries and for people to look for that badge on libraries they choose.

>I don't know how to solve it. My one idea is to start an "Low Dependency" advocacy group with a badge or something and push to get people to want that badge on their libraries and for people to look for that badge on libraries they choose.

It sounds like you're conflating low bloat and low dependency, which is like trying to have your cake and eat it too. If you want low bloat libraries, then it's likely you're going to be pulling a lot in that don't independently do much. If you want low dependency libraries, then you'll be pulling in a few that do do a lot.

From my perspective I'd rather have slightly fatter libraries if they're low dependency and by authors I trust. Lodash for instance, sure it's big but the es6 module version supports tree shaking and it's basically the standard library JS never had. Same for something like date-fns for Date. I pretty much pull these two in by default into any project to fill those holes in JS's core library.

I feel this so much.

I once had a contract for ruby on rails work. They were experiencing severe performance issues, so bad that they were developing in release mode (server won't detect a file change and reload for you).

One day I get tired of it and start digging into it. I don't remember how many gems they were pulling in but it was A LOT. I came across one particular gem which saved 3 lines of code. Seriously.

I stayed away from the RoR community after that. I recently picked up a contract for more RoR work (after all these years, lol) and ... it's not nearly as bad but it's not good either.

Some communities just do NOT respect the risk that dependencies bring.

Python probably has just as many shitty packages as Node, but Python’s stdlib is so vast that you often don’t need to, if you bother to read the docs. Today, I was marveling at a function someone wrote at my work to cast strings to Titlecase. I learned today that JS has no built-in for that.

That’s a tiny example, but there are far more.

I've never seen a .net project with 100+ dependencies, I've easily seen that multiple times for RoR and node.

Paradoxically, I like the PHP community because they're so practical (yes, the language itself is ugly). RoR built rake for running jobs (it does more things, but that was the primary motivation). PHP community just used cron. Although, having said that, Laravel takes a lot of its cues from RoR and has the same sort of tooling.

But when Laravel first hit the scene a lot of people would criticize it for its use of static, but it was legitimately nice to use and that won out in the end.

I don't make a judgement of Rails as a community. Most of my Ruby work has been Ruby on Rails so that's' the lense I see things through. Rubyists may be the most practical of all, it's just that so much of Ruby code is RoR that it's difficult for me to separate them out.

You probably know this already, but just in case;

I would also strongly recommend not using packages.config or upgrading if you can. PackageReference can deal with transitive dependencies because the compiler resolves them for you: https://learn.microsoft.com/en-us/nuget/consume-packages/pac...

So you don't have to add a dependency to a project just because another dependency has a dependency on it. It might allow you to start removing dependencies.

I've been told packages.config allows pre/post events that PackageReference doesn't so it may be that it's not an option for you, but even then I'd try really hard to move away from packages.config.

Here's some migration documentation just in case: https://learn.microsoft.com/en-us/nuget/consume-packages/mig...

What kinds of things do you find take longer in .NET?

I say this as someone with extensive experience in .net, ruby, PHP (laravel, et al), and so on.

Even something like ActiveRecord is going to blow .net out of the water in terms of pure speed, but long term the typing and the stability of .net gives it the advantage.

On the other hand its really nice that any git repo can host a Go lib and anyone can use it from that url

Examples of excellent stdlibs in my opinion would be for instance Kotlin and Python.

I took this to mean that Go's stdlib required a lot of 'do-it-yourself' implementations.

First you have package makers that want to make this into a career, and the only way to generate buzz is by having thousands of them. So they focus on generating packages that depends on others created by them, and on trying to get their one or two useful packages into someone else's code.

The second is people who believe that the only solution to problems involves including a new package, without caring about how many dependencies it has, or even if the actual problems is actually hard to solve. So instead of learning how to solve the problem, they must learn the API of some wrapper with 4 GitHub stars.

Hopefully these will also spend the tedious hours pruning unnecessary packages, minimizing responsibilities of each, and overall organizing the environment in a sensible way, then caching that standalone so there's no LLM dependency - just an update checker/curator to call in when things go to shit.

Honestly this is one of the worst problems of modern software and makes 50+% projects unusable. It seems like a very tedious yet solvable problem - perfect for the right LLM agent. Would be a godsend.

They actually think saner devs have not-invented-here syndrome :0

Maybe we could move to having big teams maintain collections of small libraries... But with tree shaking I'm not sure why we'd really need to. I'm happy just sticking with things that have lots of GitHub stars.

I think the solution is just don't use stuff posted by random people on npm if there's an alternative that's widely used, with lots of eyeballs on it. Which there usually is, but people probably choose the smaller one because it's simpler.

Need a hashmap? Need a webserver? Need a UI? It’s all built in. It just works on any device with the same code. People who actually know what they’re doing wrote it and you can trust it. No random downloads or weird packages.

If you want to download random things you still can, but realistically you don’t need to.

I know its not exactly low-dependency but at least lower attack surface.

That is true for all other programming languages.

So which is the worse approach?

A terminal spinner ("ora") with 15 dependencies (including transitive) is not an example of good design.

Inflating the numbers of downloads in your own packages is doing no good to the world of software.

Larger projects will have and likely require depper trees through, but the branchiness should be relatively independent. I wonder if this has ever been formalized.

This applies for large and small projects. Babel also doesn't need to do what it does: it pulls a couple hundreds of non-reusable sub-packages even though it's all written by the same people and maintained in the same monorepo.

“It is as if there were a natural law which ordained that to achieve this end, to refine the curve of a piece of furniture, or a ship's keel, or the fuselage of an airplane, until gradually it partakes of the elementary purity of the curve of a human breast or shoulder, there must be the experimentation of several generations of craftsmen. It seems that perfection is attained not when there is nothing more to add, but when there is nothing more to remove.”

— Antoine de Saint Exupéry, Terre des Hommes

Perfection/truth

It is kind of insane when you see it written out that way. It is staggering how much code I'm running right now on my machine as I type this-- code that I never reviewed and that very likely hasn't had much rigorous review at all. :/

Well, back to installing npm dependencies.

I’m stealing that line :-)

(Of course, as a sibling comment points out, it's impossible to really know.)

My guess is if the invention had a big corporation behind and enough economic potential it would get passed.

Well, that's what cloud providers tell you. And their employees, whose salaries depend on them not understanding otherwise.

In some cases, especially due to some compliance (ISO27001/SOC2-3, Fedramp, etc.) companies implement a proper management of CVEs. It has become a standard practice (typically, this is part of the Enterprise subscription of the SAAS/product of choice).

Having a service/lib/whatever that uses a crappy lib that doesn't get a CVE fixed in a specific timeframe can lead you to miss the SLA you define with your customers (e.g., "we fix high risk CVEs in 90 days and critical in 30 days", that kind of stuff).

For such companies having a service like that which is probably not even core business can become really a cost, especially because Enterprise companies will push very hard on you to make those CVEs fixed. I have seen colleagues working over weekends just to have 1 single CVE because of 1 single company pushing us really hard to fix that stuff. It was a big contract, you don't want to lose it.

So, yes: paying X$ to someone that promises you "we take care of CVEs", etc. can be a win. You're not just buying software: you are in a sense buying some accountability, although at the end of the day YOU are what the customer sees, not your SaaS behind the scenes.

Example my now ex-girlfriend was distrusting of "the cloud", for rational reasons I will add thanks to a former Eastern Bloc childhood. However the alternative solution was hoping she wasn't going to lose the HP laptop she'd paid bottom dollar for. Some education later and she had peace of mind, at least on that front.

What we have is a general lack of education and consideration of what the consequences of that lack of education are. The end game is that you either have to accept the risk, and I've seen many a tear there, educate yourself, and I've not seen much of that, or suck up to the SaaS and cloud vendors.

It's a matter of personal responsibility and no one seems to have it so leaving that to the professionals (ha!) might be a less bad solution that trusting yourself.

Education is the right answer though but hopeless. I'm not sure if my post has a conclusion but it sure depresses me re-reading it.

I'm an independent developer, and the person who learned node.js last year, who will throw node.js, containers, random AWS hosted DB services, lambda services, object storage, cloudflare, yaml, react, vite and other dependencies together to produce a cookie cutter, yet still very fragile, webapp together in a day will always bid lower than me.

The lean, fast, cheap to run and cheaper to maintain software just can't be written profitably, even if it is cheaper in the long run.

And that's just the attack surface when it comes to leanness mediocrity.

The "defect & deficiency surface" is much larger than the attack surface, and defects are always doing their deeds while attacks are (hopefully) relatively seldom.

This dream quickly fell apart (remember DLLs?), & it seems that much package management & packaging has to do with making sure the right libraries are available. It makes sense that it would not have worked as was hoped, as mass software development was still essentially in its infancy. Here's my question: now that there has been a great deal of collective experience in these matters, is it the case that it has been learned that this dream is simply impossible to bring about in a sane fashion (codebases may simply not be moveable to such a system without unaffordable effort), or has there been enough experience with the current messy state of affairs to drive people toward a modern attempt at making this actually work? If we're wanting fast, lean, stable, secure software (& all four may not be possible at once), I'm not sure that the current situation is heading toward those ends.

There are certain things we are doing in this landscape that are pretty effective, but they are done outside of the "you, the machine, and a greenfield project" context that drove Wirth's endeavors. The problem tends to be that they come with certain monumental thresholds of "big dependency" like a database or browser engine, and if you don't like how the big dependency was made you end up unhappy.

Maybe you have 70% fewer vulnerabilities per line of code than C++ if really 70% of (old) C++ vulnerabilities are memory related.

But if you then pull in hundreds of packages in Rust and have 10x as many lines of code...

30% of 100k lines is more in total than 100% of 10k lines of code.

The amount of code might be the same, but that doesn't guarantee that the level of risk is the same. A lot of bugs are introduced at interfaces -- the provider of an API makes a subtle change without realizing how it affects some of the API consumers -- and that's inherently more likely to occur if the two sides of the API are developed separately.

In the FreeBSD world we've found that it's incredibly useful to develop the kernel and libc and system binaries together; all sorts of problems Linux trips over simply never happen in FreeBSD.

I don't know if that was a deliberate portmanteau of obtuse+ontological, or if it was a happy typo, but I'm stealing it.

please don't... I understand your point but there are hundreds of vulnerabilities introduced every day in memory-safe languages that have nothing to do with rust's concept of "unsafe".

the root cause of a problem in unsafe could can absolutely be from safe code because the safe code can set state in a way that causes problems.

One can easily see this if you consider safe code that sets an index and then calls into unsafe code but the index is out of range. The root cause is absolutely in the safe code.

However, I do believe Rust gets a whole lot of things right.

I sincerely hope that unnecessary use of unsafe code is avoided.

People have got to stop believing that safe code in rust is automatically not the root cause of problems. It's a misapprehension.

I hope that the code that streams your data out to an endpoint isn't memory safe, so you easily find it!

No one is forcing you to use the libraries. Just write your own software stack yourself.

But big problem is vulnerablilities. Is it better to fix hundred libs by fixing a bug in one shared lib or is it better to fix hundred libs one by one?

What is actually better is to have code that is properly auditable for end-users, or even to not introduce the risk for those vulnerabilities in the first place.

Things like Heartbleed and Log4Shell were serious vulnerabilities that were useful only for a minority of people, and were hidden inside bloated code. The same thing is happening now with package supply chain.

Why multiply? If everyone rolls their own libs, you can expect different library makers to repeat similar mistakes (stuff like not sanitizing input, forgetting to cap anything that generates output from outside sources, etc.).

> Heartbleed and Log4Shell were serious vulnerabilities that were useful only for a minority of people

Minority of people need SSL and logging?!? Most applications need logging, and most of today's applications need the Internet to function. Could have they been omitted when possible? Perhaps, but you're not making a persuasive argument.

I didn’t make a suggestion, but micro-packages aren’t silver bullets.

Deep transitive dependencies are problematic for their lack of visibility, and often a signal of bloat.

> Minority of people need SSL and logging?!

Heartbleed and Log4Shell weren’t caused by the core SSL or logging code of those libraries, they were caused by code in niche features (heartbeat extension and SAMBA) that should have been plugins (or at least deactivatable by flags). that would massively decrease their impact.

Both Heartbleed and Log4Shell were caused by feature bloat and lack of auditability.

And what is your idea to fix this?

> Deep transitive dependencies are problematic and...

Gonna stop you right here. Deep transitive dependencies are nothing more than huh, other library find this functionality useful, let's pull it into a library.

By not having deep dependencies, you are in no uncertain terms claiming everyone should write their own. Or God forbid copying code into your own project.

Imagine for a moment we write a set of perfect auditable libraries. Fuzzed, written to spec, proven correct & fast in theory and practice.

Guess what? Everyone and their mother will use it, leading to deep transitive dependencies.

The complexity of consumer hardware and software requires that even trivial libraries carry with them many dependencies.

The alternative is basically Ludditism. Where do you draw the line at what is or isn't bloat? Everyone only uses 20% of the features but in aggregate, they use 110% (10% from Hyrum's Law) of the features.

But this is really far away from the bulk of Rust or NPM libraries, and it's very naive to pretend that the situation isn't like that.

I already mentioned two examples of things that could have been separate from the main libraries (or at least require flags or separate compilation) and caused global problems: heartbeat extensions from OpenSSL and LDAP/JDNI from Log4J.

EDIT: I can mention two other examples that I already talked about in this thread: I often come across simple GraphQL-API-consuming apps or libraries that have dependencies on large frontend libraries, while a simple fetch would suffice. The library is needed for introspection, or for building autocomplete clients, but for pure consumption this is unnecessary. Another example are libraries from authors that are splitting code only to bump their NPM or Cargo metrics, like is-odd, or the ora package that has 15 dependencies and a lot are covered by stdlib.

They aren't. I'm steelmanning your position. "What if there exists a set of well audited libraries". And "what if we have package managers everyone uses". The logical answer is that everyone reuses them, leading to deeply nested transitive dependencies. Hence a contradiction. Deeply nested libraries aren't a problem.

> caused global problems: heartbeat extensions from OpenSSL and LDAP/JDNI from Log4J.

Already covered that. How do you disambiguate what is a crucial feature and what is overhead? On surface it seems simple, but constraints, call for features and backwards compatibility guarantees makes that something that only seems obvious in hindsight.

Sure, but nevertheless: if this were a reality, sure, it would be perfectly fine! But we don't live in the fantasy world so we have problems.

This is why people don't complain about this kind of code being moved to standard libraries: stdlibs they are often heavily audited (with exceptions),

So maybe that's a suggestion from me: moving SOME things (NOT ALL) that are traditionally in stdlibs in other languages to the stdlib of your own language.

Or another: perhaps force yourself to use primarily audited libraries (parent commenter mentioned NewtonSoft.JSON... this is a good one that is an industry standard).

I however still won't bulge that depending on too many mystery libraries is not a good thing :/

> How do you disambiguate what is a crucial feature and what is overhead

To keep using the same two examples: if you don't need something for 99% of regular use cases, then it can definitely be optional.

But optional doesn't mean the same as "non existent". I'm not advocating removing features or not making it, like another person said. I'm just advocating building software a bit differently.

Instead of having 100 features and a lot of dependencies in one root package, have instead 1 base package (with fewer features and fewer dependencies) + N plugin packages (with the remaining features and dependencies).

This way you can reduce the blast radius of problematic dependencies without removing features.

Naturally you need good DX, the core package must implement something, it can't be just an empty package that doesn't do anything and requires 200 other packages to work. But there are again no silver bullets here.

- Some set of libraries are fully audited.

- Some libraries can't be fully specced and audited because their specs are in flux (e.g. games, GUIs, webapps)

- Those libraries/apps will limit their maintenance burden by using audited ones

- Package managers are useful.

As long as the set of audited libraries is large or tends to grow large, or the audited libraries build upon each other, or the non-audited libraries depend on many other libraries, the "deeply nested" (I don't think it's deeply nested as much as many dependencies) hierarchy will be replicated.

All those assumptions can be all true, but that still doesn't make the overarching assumption right.

I would also appreciate if you took a look at my messages with a bit more empathy. I state several times that I'm not advocating for the opposite "NIH syndrome" point of view... this has been implied by you and by the other poster several times, and it's not cool :/

"Our software will be so much better quality if it won't do the things you're paying me to make it do" is a non-starter in the real world.

Nobody ever said anything of the sort.

The fact that Rust makes it easy to pull in a large number of small dependencies instead of a few enormous dependencies is irrelevant. You aren't using any more code.

For example are you counting Rusts `regex` crate as a dependency? Well that's just in the standard library for C++.

Does Boost count as a single dependency in C++? Because that would be like 30 separate crates in Rust.

For example, rust happily lets you access a database before checking that the user's auth token is valid - absolutely nothing prevents you from that.

Not enough folks seem to realize but you can use each platforms native web control rather than bundling electron. If you do that your distributed app can be in the kilobytes. This approach also gives you the freedom to use whatever backend programming language / tech stack you want so long as it can communicate with the web view.

PWA should be viable for a pretty large percentage of applications nowadays, right?

I don't know, but could Discord be a PWA instead of an Electron app?

The biggest gap is something capable like SQLite vs IndexedDB, but even then I bet most apps wouldn't require the sophistication of a higher level query language compared the "b-tree" model of IndexedDB.

https://tauri.app

The obvious downside compared to Electron, besides maturity, is you have to test the frontend on multiple browser engines rather than just bundling Chromium everywhere and calling it a day. It uses Microsofts flavor of Chromium on Windows, Apples flavor of WebKit on their platforms, and WebKitGTK on Linux.

[1] https://github.com/webview/webview

You don't need a library for these features. Their easy to access through each platforms native API's and if you go the route of creating the webview yourself (no library) it's a moot point as you're interfacing with the OS anyway.

To paraphrase Churchill, Electron is the worst multiplatform GUI solution, except for all the others that have been tried.

[0 ]https://suckless.org/

Anyway, his comment made me chuckle: "Wow, looks like everything runs pretty quick!" And he was right, everything loaded instantly. Even IE6, Netscape Communicator, Adobe Acrobat 5, etc

https://news.ycombinator.com/item?id=36446933 - Windows NT on 600MHz machine opens apps instantly. What happened?

Follow up post by the original author:

https://news.ycombinator.com/item?id=36503983 - Fast machines, slow machines

1. Standard libraries are the new operating systems

2. The only way to design reasonable (lean, secure, responsive, interoperable, reliable, long lasting, etc.) software is for rich and carefully thought out abstractions to be incorporated into operating system and/or standard library APIs.

We have to remove complexity by building better operating systems, programming language, and core standards/ abstractions. A great example is web components—they should have destroyed the case for React and its ilk, instead a completely wasted opportunity.

Kind of difficult to take this seriously.

https://idlewords.com/talks/website_obesity.htm

http://idlewords.com/amp_static.html

His 10 principles guide everything I create.

Even if it's harder to get started in the end it's less time spent because you know the code better and the code is not adapted around the library and it can better follow the application design.

This approach made everything lean and easy to develop and as a bonus everything is rocket fast.

1: https://www.wisdomandwonder.com/link/2110/why-mit-switched-f...

2: https://news.ycombinator.com/item?id=14167453

But even going beyond that, we're forced to keep building upon tons of old design decisions which don't always match modern software expectations. It doesn't help that modern operating systems have failed to evolve in order to provide a better ecosystem. And that's not even taking into consideration the barriers created by artificial platform segmentation enforced through copyright abuse. In general, platform owners are very resistant to working together.

The biggest innovation in the OS space during the past decade which I'm aware of has been the proliferation of containers. We've given up on combating software complexity and decided that the best thing to do is throw everything into a giant opaque ball of software and ship that.

Anyway, for all my ranting all this bloat has at least enabled a lot of people to ship code when they probably wouldn't have otherwise shipped anything at all. The choice is rarely between good code and bad code, it's often going to be between nothing and bad code. And a lot of this shitty horrible code is often solving real world problems, even if it's bloated.

> The biggest innovation in the OS space during the past decade which I'm aware of has been the proliferation of containers.

As someone in the process of installing Guix, I'm not sure I agree...

Have people taken "Function-as-a-Service" too literally and done the equivalent of moving "is_even" into an AWS Lambda? Or maybe have a dedicated "is_even" nano-service with its own Kubernetes cluster?

They use a Kubernetes “distribution” that adds another layer of automation on top of that!!!

The day is near where “is_even” will be decomposed into multiple containers, with an added caching layer, and extensible authentication layer.

Sounds to me like trading one type of bloat for another.

It's more a way to enforce API boundaries than reducing complexity. I guess when you have some anxiety about your ability to do so otherwise.

What's truly shocking is that the chronic problems with software that were identified in the 1994 SciAm article are still essentially same as those outlined in this current IEEE article.

Back then, Wayt Gibbs correctly concluded that software development couldn't be classed as a professional engineering discipline, so why, if anything, has software development sunk even further into the mire over the past 30 years?

It is truly incredible that so many have allowed this unmitigated shambles to perpetuate for so long.

Why the fuck can't the software industry and computer science finally get their act together?

edit: ok so for thermodynamics analogy purposes, the statement 'closed system' means no matter flows but energy obviously yes... furthermore, 'the tech system' being made of isolated computers and specialized professionals, or networks of computers and specialized professionals is immaterial for the analogy... lots of energy flowing in, in the form of huge amounts of cash, created a lot of entropy, in the form of accidental complexity.

What would happen if things like Angular or React suddenly went away. Would these developers be able to write new applications. Likely not. What if a developer could no longer use jQuery or equivalent helper libraries? Could they continue to deliver work? Almost certainly not.

When most of the work force is only interested in their own narcissism the industry has failed on multiple levels. This is experienced when the first, second, and third priorities are only in the developer’s own self interest such as needing things to be easy. That is why software is bloated, because when the self-interest of the developer is all that matters performance and efficiency become absurdly irrelevant.

The solution to this problem is to set high standards. Not high compared to other professions but astonishingly high compared to software today. If current developers cannot achieve such lofty professional standards do not hire them as senior developers. It may mean it’s in the best interest for employers to train people off the street who are not yet corrupted by poor habits. Eventually the solution will become economic: what is cheaper for the employer. Will it be cheaper to employ large staffs that deliver bad products slowly in their own self-interest or start anew with well trained teams that deliver excellence rapidly at great training or certification expense.

Until the industry figures this out I will never write JavaScript professionally again. Currently, children run the daycare.

It has become very difficult to have some discussions with less experienced developers, because they have a problem accepting that there are alternatives they're not familiar about.

Just this week I had a discussion with a recent hire that claimed it was impossible to use GraphQL without a dedicated client library. The claim that our team built our current product with just fetch was met with "there must be some security issue, or you had to rebuild from scratch something that is as complex as Apollo".

This issue has analogies elsewhere. Why anything sucks at scale in any way has to do with large numbers of other people.

Why can't you find a good quality Widget at any price, only cheap ones? There aren't enough of you who want the better Widgets, so it's not worth it. And when you say any price, you don't actually mean it anyway.

I can almost see how this sort of thing could work -- a secure LAN for the house with appliance controls based on open protocols driven by a local server. Your phone would talk to the server via a LAN (in-house) or a VPN (remotely), decoupling the connectivity from the actual control. Heck, while we're at it, drop IP from the appliances entirely and use some low-bandwidth power line communication system (X10?) -- no need for an OS at all.

That would require a lot of industry coordination, though, and in an age of walled gardens and digital surveillance I don't see it happening anytime soon.

It gets defended because "developers are expensive" but nobody thinks of all the person-hours of our users' time lost because they are waiting for the code to execute up and down that class hierarchy...

- Product Managers being educated in causes and short and long term side-effects of bloat in depth. PMs and their ever increasing lust for making a piece of software do moreeeee!

- Coders should be penalised for frivolous use of libraries (especially in that glorious NPM world). Sometimes I wonder whether they’d just include a library instead of typing the word “include” if they could.

- Dependency registries like NPM (actually especially NPM) should have a strict IIEN check before any library is published there (IIEN: Is It Even Needed). Sometimes it’s okay, actually better, to just write your own quick little wheel.

- package.json (there’s yarn as well?) should be declared a health hazard especially for anyone who is not directly in the field (they might cause panic attacks) - and that’s just the first level listing.

Actually doing stuff, meanwhile, is the process by which you find out you also did not know what you were writing about."

Why architects code: https://bitslap.it/blog/posts/why-architects-code.html

Syndication of article from last month:

More discussion: https://news.ycombinator.com/item?id=39049956

https://github.com/SashenJayathilaka/Photo-Sharing-Applicati...

Out of the 1600 packages, just looking at package names:

227 are related to Jest, 167 are related to Babel, 93 are related to PostCSS, 66 are related to Webpack, 47 are related to Firebase, 43 are related to Webpack, 24 are related to Workbox.

There are even more packages that are related to those but whose name doesn't include the main product.

These multi-packages, in 90% of cases, are all maintained by the same people and often live in the same GitHub repository.

As someone else had once said, limitation sparks creativity. Without limitations (such as for instance a low number of dependencies, or deliberately simpler code) the activity becomes mundane and overly goal-focused, which ultimately results in poor quality of the outcome.

I personally found myself greatly improve the quality of all my activities in life by imposing "challenging" limitations on them. Though surely it's not an approach for everyone.

It’s going to be interesting when the people who made things like Linux die and there’s nobody to replace them.

For example, today I was trying to … put a link into Slack. And it is very clear, as a user of Slack, that Slack utterly lacks a parser and is almost without a doubt simply tossing some regexes at the problem. A parser might be "more code" … but it would simply work, whereas I often find valid markdown getting mangled by … whatever is attempting to "parse" it, but probably isn't.

We have a script that renews certs with certbot. If I get enough free time, I'm going to be replacing it with a Rust program, as certbot is just too difficult to get automated. It wants to prompt users with questions (do you want to upgrade to EC? No, no, I just want to renew) and regularly fails (it attempts to wait for DNS propagation, but it does so too simplistically; this is made doubly hard on its part that Cloudflare will gladly ack a write in their API … but their DNS is apparently not read-your-writes.)

Even the Rust replacement, which is in a prototype, has to re-implement part of ACME, as the ACME library doesn't expose the part I need. I'd rather not … but missing code.

I want to parse .deb files to walk their dependency tree, but .deb files use an artisanal format. They're old, so I sort of get it, but it's nonetheless annoying.

Read-your-writes is the single biggest reason I have to do inane amounts of retry logic around APIs that ack writes and then gaslight me on subsequent requests dependent on that write.

I've hacked around Cython failing to accurately transpile Python. I've hacked around Azure APIs just … not doing what they're paid to do. I've written scripts to make Docker API calls that … could have been exposed in a CLI tool, but just weren't, because tough cookies.

The WASM people were fighting about whether strings should be forced to be valid, or not. Think about it: every future WASM program might have to deal with SomeNotQuiteAStringType, for the rest of time, all just to make interop with JavaScript "easier". Hopefully, in Rust, we'll get a WasmString with a `.to_string() -> Result<String, Ffs>`, but that's still an fallible path that didn't need to be.

People still think CSV is a decent format.

left-pad, widely derided as "one of those dependencies that is so simple you don't need it", failed to correctly implement the function! Then when the ragefest about it broke out the broken function was standardized.

Go for the longest time didn't have a round function, and the bug report where it was requested got a "it's so simple just implement it yourself" and it took commenters like 6 or 7 attempts to get it right. round()! (Thankfully, Go saw the light and eventually added it to the stdlib.)

In many ways, quality engineers who know what they're doing and write good, high quality systems would go a long ways. But SWE companies are, AFAICT, penny wise and pound foolish in that department, and have traded paying devs for quality with devs dealing with low-quality systems for all of eternity.

The size of software is such a rallying point for malcontents & grumblers. Endless belly-aching, back in my day software was all fast and hand coded in assembly, no, binary, by real men/women.

Load times can be a bit bad, and yes 400MB app sizes so kind of suck but honestly, it'll swap out fine and if you have an even passible modern SSD, it'll swap right back in fine too in crazy fast speeds. In principle it's unpleasant, in practice, for most people this is not a real impact. But oh how it attracts aggression and disdain.

The point about security is interesting because the stakes are so high. And oh my, we do see some epic disasters. What was the npm one with cyrptocoin wallets being drained recently? But you know? In general the number of occurences have been fantastically stunningly low; it's rarely an issue. There's some log4j shit where longstanding legacy unmaintained apps have some horrific vulnerability that no one is around to import the fix for. But generally? Most exploits are dealt with with amazing haste these days, at much shorter intervals than most dev's do uodates, such that most teams likely won't see impact. There's incredibly good tooling available to report dependencies & automatedly offer patches. The stakes are high but our defenses are astoundingly modern capable & fast acting. We are vulnerable, absolutely, but in practice where we are is amazing.

The security footing I think is hella legit as a plea for lean software. Far more so than so many other persistent endless grumbles. I'm so weary that so many folks have a common place to get together and bellyache & moan, endlessly, again and again, about how bad software is, and how awful things are, when it's not. Shit is amazing. Our ability to stitch great shit together is amazing and having some extra code or parallel utility functions coded in just isn't really a great offense.

Software has plenty of bad architectures underneath the surface, that make it low performance and bad. There's real hard problems about doing minimal amount of work when things change, figuring out what work to do, understanding what data structures and algorithms are helping and hurting. I want software dissenters, I want anger, but it feels like such low grade feed stock complaints that focus on such low & mostly-irrelevant factors that they can easily get together & breed disdain over.

So, here we are in 2024, and this security stance seems like a super legit if improbable thing to be terrified about, an actual forcing function to care about the growth of software under layers. If only we had some kind of secure maybe cross-language hopefully capabilities-based sandboxed system for running code that we could use to run libraries safely in... Aoj wait, we do, it's called wasm, and wasi just shipped preview 2 with component-model, so we can make this happen. I'm excited that we can progress past this reason for conservative Fear Uncertainty and Doubt, by encapsulating the problem and containing it, without having to undergo some radical revolution where we completely remake software development in some undefined safe secure mysterious way where everyone starts all using the same code which we all agree is the exactly right code & nothing else is possible. People love to get together & feel smug that they have been in touch with the better halcyon universe where everything is great & only as it should have been, but no one has offered even the remotest suggestiom of how we get there. MS tried with years of .NET but even they had to constantly reinvent what batteries included meant. Who else will do better, make only perfect decisions, such that no one else ever need touch or address the topic again? This longong for some higher authority to make code perfect & simple as can be flies in the face of what should be exciting & compelling & powerful about the coding world to me; it's messiness brings amazing glory & possibility & we thresh towards better slowly & chaotically. What happens is amazing & I'm so tired of the positive of this world having no outlet, no rallying points, while the people who want to trash software can cand together so regularly so easily & so frequently. It's unfair that software conservatism has as much appeal as it does, and wasm stands to cut this reality-bias off at the kneecaps, thank the stars.

Nobody, of course, but complaining about "kids these days" is never going to stop being popular.