I have Thots about this one (from the braying Tim, urging you to write software with 0 dependencies, which I think it is literally impossible unless you are the kind of person who does hardware bringup via bit-banging, but also that's not what he's ta...
-
I have Thots about this one (from the braying Tim, urging you to write software with 0 dependencies, which I think it is literally impossible unless you are the kind of person who does hardware bringup via bit-banging, but also that's not what he's talking about): https://www.tbray.org/ongoing/When/202x/2024/09/04/0dependencies
By “zero dependencies" he means “none of *those* dependencies”, you know, the ones we shudder at when we look at node_modules and count, not the ones that quietly make entire software ecosystems possible.
Is a dynamic library a dependency?
Postgres?
An operating system?
All of these things are software modules we use that are successfully bundled away behind often very successful interfaces (libc, sql, posix, etc).But probably we're talking about leftpad. He mentions `xz` specifically, a dep that most people don't realize is in use in most of the places it's used.
“Minimize and think about them" is a stance I can get behind.
-
Thinking further…
We don't like paying for our software dependencies, do we. We really hate it. We don't like paying the people who write the things that entire worlds of software depend on. We demand things from them to protect ourselves from *our* supply chain deficiencies without offering them anything in return.
Example: every somewhat off-target demand that maintainers of something popular turn on 2FA. Is 2FA helpful? Yes. Does it absolve you of responsibility for your own software supply chain? No. See https://blog.ceejbot.com/posts/multi-factor-panacea/
That blog post gives you a first take on what my response to Tim Bray's post is going to be.
1/N