upvote

points

by vsgherzi17 hours ago |
comments
upvoteby pier2516 hours ago|
next
[-]
If the fat std library is not viable you can only increase security requirements.

Axios has like 100M downloads per week. A couple of people with MFA should have to approve changes before it gets published.

reply
upvoteby cromka16 hours ago|
parent|
next
[-]
This is the actual answer: stupid cost saving creating an operational risk.
reply
upvoteby Barbing15 hours ago|
parent|
prev|
[-]
At least then they will have to pay off a dev or something, changes their economic calculus and is additionally illegal
reply
upvoteby rectang17 hours ago|
prev|
next
[-]
Hosting curated dependencies is a commercially valuable service. Eventually an economy arises where people pay vendors to vet packages.
reply
upvoteby goodpoint14 hours ago|
parent|
next
[-]
It's what linux distributions do.
reply
upvoteby consp12 hours ago|
parent|
[-]
Queue appimage or other packed binary and there go your finetuned packages.
reply
upvoteby silon429 hours ago|
parent|
next
[-]
Yes, that why those need to be 100% sandboxed by default (ideally a VM), unless they are provided by distro
reply
upvoteby 5 hours ago|
parent|
prev|
next
[-]
deleted
reply
upvoteby tankenmate17 hours ago|
parent|
prev|
next
[-]
It already exists; cloudsmith
reply
upvoteby anthk9 hours ago|
parent|
prev|
[-]
Linux distros and BSD ports did that since the 90's. When Linux distros had barely a PM or just tarballs, Infomagic sold 4 CD full of libre software. When I had no internet at home, back in the day I bought 3 DVD's of Debian Sarge for 20 euros, about $20. A bargain, it was the price of a hard-cover best seller book.

GB's of libre software, graphical install, 2.6 kernel, KDE3 desktop, very light on my Athlon 2000 with 256MB of RAM. It was incredible compared to what you got with Windows XP and 120 Euro per seat. Nonfree software and almost empty.

And, well, if for instance I could get read only, ~16TB durable USB drive with tons of Guix packages offline (in a two yearly basis with stable releases) for $200 I would buy them in the spot.

You would say that $200 for a distro it's expensive, but for what it provides, if you are only interested in libre gaming and tools, they amount you save can be huge. I've seen people spend $400 in Steam games because of the Holyday sales...

reply
upvoteby a-french-anon13 hours ago|
prev|
next
[-]
Why wouldn't the "fat std" thing work? Yes it's hard to design properly, both in scope and actual design (especially for an unstandardized language still moving fast), but throwing the towel and punting the problem to the "free market" of uncurated public repos is even worse.

It's what we call in France "la fête du slip".

PS: that's one reason I try to use git submodules in my Common Lisp projects instead of QuickLisp, because I really see the size of my deptree this way.

reply
upvoteby junon13 hours ago|
parent|
next
[-]
Because fat std is rigid, impractical, and annoying.
reply
upvoteby grey-area10 hours ago|
parent|
next
[-]
In practice (e.g. Go) it’s actually pretty good and infinitely preferable to third party everything.
reply
upvoteby majorbugger6 hours ago|
parent|
prev|
next
[-]
Yeah, it's annoying to have good support for dates in Java since 2014, instead of only getting it now like in JS.
reply
upvoteby dboreham6 hours ago|
parent|
prev|
next
[-]
I think we found the constituency that led to the present sorry situation.
reply
upvoteby junon5 hours ago|
parent|
[-]
That's rather rude.

If you're referring to my packages on npm, I joined way late to that game. This was also ~15 years ago.

reply
upvoteby PunchyHamster9 hours ago|
parent|
prev|
[-]
Works just fine in Go.
reply
upvoteby hypeatei12 hours ago|
parent|
prev|
[-]
Fat std library mistakes/warts would likely result in third party packages being used anyway.
reply
upvoteby a-french-anon9 hours ago|
parent|
next
[-]
Not necessarily, but let's agree that some design faults would happen: you still get the option to use the solid, boring and slightly rusty std instead of another 100 dependencies from the supply chain supermarket.

At work, we're happy with Python's included batteries when we need to make scripts instead of large programs.

reply
upvoteby wolvesechoes10 hours ago|
parent|
prev|
[-]
So it provides another option, and in worst case it doesn't make situation worse than it is right now?

Yeah, pretty bad idea.

reply
upvoteby 16 hours ago|
prev|
next
[-]
deleted
reply
upvoteby Joeri11 hours ago|
prev|
next
[-]
NPM should have a curation mechanism, via staff review or crowdsourcing, where versions of popular packages are promoted to a stable set, like linux distros do. I would only use curated versions if they had such a thing.
reply
upvoteby brigandish16 hours ago|
prev|
[-]
An alternative:

- copy the dependencies' tests into your own tests

- copy the code in to your codebase as a library using the same review process you would for code from your own team

- treat updates to the library in the same way you would for updates to your own code

Apparently, this extra work will now not be a problem, because we have AI making us 10x more efficient. To be honest, even without AI, we should've been doing this from the start, even if I understand why we haven't. The excuses are starting to wear thin though.

reply
upvoteby pjc5015 hours ago|
parent|
next
[-]
Just going to put features on hold for a month while I review the latest changes to ffmpeg.
reply
upvoteby tick_tock_tick16 hours ago|
parent|
prev|
[-]
I don't know where you've worked but a hostile and intelligent actor or internal red team would succeed under each of those cases at every job I've worked at.
reply
upvoteby Hackbraten14 hours ago|
parent|
next
[-]
Defending against a targeted attack is difficult, yes. But these recent campaigns were all directed at everyone. Auditing and inspecting your dependencies does absolutely help thwart that because there will always be people who don't.
reply
upvoteby bitwank15 hours ago|
parent|
prev|
[-]
Good to know. Where were the places you worked at?
reply