
Dependency - kjhughes
https://xkcd.com/2347/
======
hardmath123
A couple years ago I wrote a program to make dependency diagrams just like
this! [https://github.com/kach/tower-of-power](https://github.com/kach/tower-
of-power)

Here's `pdf-redact-tools` from Homebrew: [https://github.com/kach/tower-of-
power/blob/master/gallery/p...](https://github.com/kach/tower-of-
power/blob/master/gallery/pdf-redact-tools.box.svg)

Here's the CS core at Stanford (dependency = prereq):
[https://github.com/kach/tower-of-
power/blob/master/gallery/c...](https://github.com/kach/tower-of-
power/blob/master/gallery/cs.box.svg)

~~~
marcrosoft
Speaking of homebrew, its author definitely fits the tiny block in this
cartoon.

~~~
SilasX
The first thing I thought of was OpenSSL:

[https://news.ycombinator.com/item?id=7575210](https://news.ycombinator.com/item?id=7575210)

~~~
majewsky
GnuPG and ffmpeg also come to mind.

~~~
SilasX
Yes, I remember GPG being in the news for that:

[https://www.propublica.org/article/the-worlds-email-
encrypti...](https://www.propublica.org/article/the-worlds-email-encryption-
software-relies-on-one-guy-who-is-going-broke)

But I also remember the takedown about no one actually relying on email
encryption for security:

[https://news.ycombinator.com/item?id=22368888](https://news.ycombinator.com/item?id=22368888)

------
aljgz
Author of one such library faced serious problems. He has opened up yesterday
in this blog post.

[https://medium.com/@behdadesfahbod/if-you-read-one-thing-
fro...](https://medium.com/@behdadesfahbod/if-you-read-one-thing-from-me-
please-be-
this-2262ec7b8af2?source=friends_link&sk=e29ac54d3fbed71de045ed6a5857280b)

His tweet:
[https://twitter.com/behdadesfahbod/status/129532694517805465...](https://twitter.com/behdadesfahbod/status/1295326945178054659?s=20)

The library:
[https://github.com/harfbuzz/harfbuzz](https://github.com/harfbuzz/harfbuzz)

~~~
apta
Who attempted to force his employer to fire him for a code of conduct
violation?

~~~
aljgz
I don't know what part of his story you refer to, if its:

"It took me weeks to regain access to my accounts, which were disabled after
my employer (Facebook) was notified and embarked on disabling them."

I guess they've disabled his account to prevent access of the intelligence
services to any sensitive data.

~~~
apta
It's there in the tweet he links:
[https://twitter.com/behdadesfahbod/status/127513187003691417...](https://twitter.com/behdadesfahbod/status/1275131870036914177)

~~~
aljgz
I think it's an unrelated issue.

------
outworlder
Image title:

> Someday ImageMagick will finally break for good and we'll have a long period
> of scrambling as we try to reassemble civilization from the rubble.

EDIT: don't forget to always hover over the image. Half of XKCD's fun comes
from those tidbits.

~~~
WrtCdEvrydy
Honestly, yes, imagemagick is such a ridiculous dependency for everything.

~~~
AceJohnny2
Why is GraphicsMagick [1] not a more popular alternative?

[1] [http://www.graphicsmagick.org/](http://www.graphicsmagick.org/)

~~~
ashtonkem
Same reason any legacy dependency remains; the cost of replacement is higher
than the cost of maintenance.

~~~
AceJohnny2
It's meant to be a drop-in replacement, the cost of replacement should be
negligible.

~~~
wtracy
Both projects are moving fairly fast, and regularly adding new features that
are not shared.

The last time I made heavy use of ImageMagick/GraphicsMagick, I was suprised
how often I would find a feature present in one and not the other (often
things like drawing gradients).

And it's not like one has a superset of the other's features: I once painted
myself into a corner and created a project that depended on both ImageMagick
_and_ GraphicsMagick.

------
dx87
This trend towards huge dependency trees has started to turn me off getting
serious about learning software development. It seems like unless you want to
make a toy program, you end up with hundreds of dependencies, most of which
are made by volunteers who could decide they don't feel like working on it any
more. Even having someone paid to do the work doesn't seem like it matters
anymore when you consider that Mozilla just laid off a bunch of technical
employees to focus on whatever else.

Are there any other solo devs who get "dependency anxiety" and don't want to
start working on a project because you worry that you'll have wasted your time
if one of the hundreds of dependencies breaks something, and there is nobody
to fix it (like a crypto library for example)?

~~~
chadash
I'm sorry to hear you feel afraid to learn more software development, but i
think these concerns are largely unfounded. First of all, dependencies don't
break just because they are unmaintained. If it worked ten years ago, it
should still work now. For particularly complicated dependencies, there's a
likelihood that they have bugs. But if they are popular, these bugs are often
either things you probably won't ever come across or can work around if you
do.

Finally, the beauty of open source software is that you can fix things
yourself! Found a package from 10 years ago that works 99% of the time, but
you just need to fix one thing or add one tiny feature? Not a problem, you
fork the repo and add what you need.

~~~
dx87
Gotcha, thanks for the feedback. I've never done professional software
development, it's just something I picked up to broaden my skillset, so it's
good to know that the concerns aren't really an issue in practice. Regarding
fixing bugs in the dependencies, I think that's like a chicken/egg problem for
me. I use the dependencies because I don't have the time or skill yet to make
the functionality on my own, which means I also don't have the time/skills to
fix bugs in the dependencies. I think I probably have to buckle down and get
over that hump to be confident enough to make bigger projects that need more
dependencies.

~~~
james_s_tayler
Part of the skillset is evaluating dependencies on how well they fit with your
goals both technical and strategic and what level of risk/benefit they pose,
and how those dependencies are places in their respective ecosystem.

Usually any ecosystem has a core set of dependencies that are heavily relied
on by most or a lot of projects as the go-to solution for a given problem.
Then there are often sets of dependencies where there are several popular well
maintained choices to pick from depending on your needs.

Where it gets a little trickier is things that are a bit more niche. That
being said, most software development just wouldn't be possible without
standing on the shoulders of giants so to speak cos it's just so time
consuming.

They're far more of a benefit than a detriment but you have to learn to assess
them and make choices based on your individual considerations.

------
obilgic
Yes, It's dependency system's weakness, but also that's what makes this system
very strong:

If one of those base level things break, everyone who depend on it, will come
together and replace/fix it instantly.

~~~
gowld
Or they won't.

~~~
ikt
This precedent suggests they will:

[https://en.wikipedia.org/wiki/Heartbleed#Root_causes,_possib...](https://en.wikipedia.org/wiki/Heartbleed#Root_causes,_possible_lessons,_and_reactions)

The industry's collective response to the crisis was the Core Infrastructure
Initiative, a multimillion-dollar project announced by the Linux Foundation on
April 24, 2014 to provide funds to critical elements of the global information
infrastructure.[192] The initiative intends to allow lead developers to work
full-time on their projects and to pay for security audits, hardware and
software infrastructure, travel, and other expenses.[193] OpenSSL is a
candidate to become the first recipient of the initiative's funding.[192]

After the discovery Google established Project Zero which is tasked with
finding zero-day vulnerabilities to help secure the Web and society.[194]

------
aetherspawn
Would anyone donate to a service that maps your dependency tree and breaks up
your donation to support the projects in your entire tree (not only surface
level) proportional to their usage or something like that?

~~~
rabidrat
It's been proposed and tried before, and I think generally deemed not worth
it. a) Almost no one donates, b) the donations would be broken up to
infinitesimal levels, helping no one, and c) there are people who devote their
working lives to OSS without compensation, other people who write a few cute
small libraries/tools but don't need the money, and then there are
corporations who contribute to open-source for their own benefit. The
proportion of money that would go to your favorite OSS heroes would be
embarrassingly small; compounded by the low donation level and general
dilution.

~~~
koolba
Also you end up with a handful of people making 1000s of one liner libraries
that link to each other in an effort to game such systems.

~~~
whatch
At the same time other people will be more motivated not to include one-liner
libraries to not further dilute donations.

------
RyanShook
I’m constantly amazed by the quality and consistency of the open source
community. Can you think of any other industry where massive companies are
built on top of free infrastructure?

~~~
tamrix
OpenSource software isn't free. It costs people's time to develop and
maintain. Calling it 'free' devalues the projects and their maintainers by
giving the impression their time isn't worth anything.

We as the OpenSource community need to start moving towards a more sustainable
approach to OpenSource development. First step: Stop calling it free.

~~~
phist_mcgee
Oh god this is the same argument rolled out by opponents of socialised
healthcare. If it's free then you are forcing the doctor to work for no pay!
Stop splitting hairs over the meaning of 'free' in this context. It is free to
the end user, it is not free to the developer or maintainer.

I make christmas hampers for the poor, I call them free hampers. Of course
they are not free, but to the end user they are.

And no, people are not going to start using the word libre, it is not an
English word and it is not used widely enough outside of computing and it will
probably not catch on. /endrant

------
Quarkonout
A big part of Go's success is due to the large and useful standard lib. This
kind of ecosystem feature is much more valuable than any language feature.

If the Rust guys would understand this and put an async runtime, http server
and client, crypto and some more essentials in the standard lib the adoption
would be much higher. Than we would have a super robust language and a super
robust ecosystem. I don't think the borrow checker is the issue with Rust slow
adoption in the mainstream backend business.

~~~
majewsky
I can't speak for the Rust devs, but as far as I'm aware, the longterm plan is
to have more stuff in std, but only once they're fairly certain they have the
right design. Async/await is a good example. The Rust community explored the
design space for async runtimes for several years before they felt comfortable
settling on a design for the initial pieces of std.

The process is definitely frustratingly slow, but going faster has burned the
Rust devs already in the past (just look at how much stuff in
std::error::Error is deprecated).

~~~
steveklabnik
The main problem isn't just that, it's that also, Rust cannot decide that a
one-size-fits-all executor is the only one. Different properties are needed
for different projects, and blessing any one executor cuts off all of the rest
of them.

Tokio is fantastic for web services, but is inappropriate for my
microcontroller.

~~~
majewsky
Do you have a notification daemon for every HN comment that mentions Rust? :)

~~~
steveklabnik
Nope, just use the search bar.

------
beervirus
And when the Nebraskan sells the project to a scammer, we’re all in trouble.

~~~
daenz
Can you do that? I'd be open to selling an open source project that gets over
1M monthly downloads. I can't seem to monetize it otherwise.

EDIT>> "Can you do that?" meaning, "Can you sell an open source project?" Not
"Can I sell to a scammer?", for people accusing me of planning to commit a
crime.

~~~
WrtCdEvrydy
Please don't... we already had our scare in the past when someone handed over
the JS project for something to a third party and broke the internet.

~~~
coreyoconnor
"please don't" doesn't pay the bills. You want those people to avoid
transferring the reigns for cash? Find some sustainable way to pay them. No
amount of feel good platitudes will do that.

~~~
gowld
Crime isn't supposed to pay the bills either. You have no right to give away a
gift and the bulglarize anyone who accepts it. If you don't want to give your
work away, put a protective license on it.

~~~
coreyoconnor
While the above case is (arguably) crime. In general crime is unrelated to
this issue.

As for licensing: totally agreed. I would like to see more projects with
protective licensing.

Too many projects are basically donations to Amazon.

------
DethNinja
This is why you are supposed to choose whichever dependency you add to your
project very very carefully.

Also, each dependency you add to project is a security risk in itself. I
really can’t believe how webdesigners casually add dependencies without a
second thought especially with dependency management system like npm.

People give C++ lots of hate but thanks to not having an easy way of adding
complex dependencies, it has less dependency driven bugs/security issues.

~~~
TylerE
> People give C++ lots of hate but thanks to not having an easy way of adding
> complex dependencies, it has less dependency driven bugs/security issues.

Oh, come on. The number of security issues to things like libssl alone is
enormous.

~~~
pfundstein
Oh come one, you're describing a single dependency which being encryption is
generally recommended against rolling your own.

Don't try and tell me C++ projects in general have more dependencies than high
level languages.

~~~
rossjudson
Nope, but I'm happy to tell you that C/C++ projects in general have more
security flaws than high level languages.

~~~
pfundstein
Don't shift the goal posts, we're talking specifically about dependencies and
dependency driven bugs.

~~~
dodobirdlord
Languages like C++ that lack memory safety have the irritating property that a
memory safety error anywhere in the dependency tree can be exploited to attack
unrelated parts of the binary. In most languages you don’t have to worry that
some stateless pure-function log formatter is secretly the gap in your armor.

------
zzo38computer
I don't use a lot of dependencies in my software (some uses none except the
standard library, or for software that runs on a VM, the VM it runs on
(although any implementation can be used)). (Probably the only program I do
maintain that has too many dependencies is TeXnicard, because it depends on
Ghostscript (which has a lot of dependencies). It also uses PCRE and SQLite3
(which are not so bad, since they don't have other dependencies).)

In terms of ImageMagick, I used to use it but now maintain my own set of
programs for dealing with picture files (almost entirely written in C,
although the ones for converting to/from fax format are in PostScript; I may
later write a version in C as well, so that you can use it if you do not have
a PostScript interpreter). Like most software I write, I try to not use many
dependencies if I can avoid it. (It doesn't use libpng either; it is using
LodePNG, which is better in many ways, in my opinion.) (These set of programs
I wrote also have many effects that I have not seen in other programs, such as
automatic rearranging in a horizontal or vertical strip, removing duplicates
from a vertical strip, and making the tensor product of two pictures. There
are also file formats ImageMagick does not support.)

------
ericjang
What are some examples of this?

~~~
banana_giraffe
SQLite feels like this to me. It's more than one person, and it's not
thankless work (at least, I hope). But still it is critical to a surprising
amount of technology, and maintained by a very few people.

~~~
outworlder
And, at the same time, it's a very underused piece of tech

Every time you think you need a custom file format for a given piece of
software... you most likely don't. Just use SQLite. You can use the standard
OS file Open/Save dialog box and users will never know the difference.

Yes, that means you now have to write SQL statements to manipulate your data.
But that also means that you can get lots of complicated data structures on
disk and can manipulate them easily, even outside your own software - just
fire up the sqlite CLI and point to your file. There are GUIs as well.

Things like UNDO/REDO can also be had almost trivially (see
[https://www.sqlite.org/undoredo.html](https://www.sqlite.org/undoredo.html))

Sometimes this also means you don't need an external RDBMS even for web apps.
I've seen so many apps which co-locate a small database in the same box that
might as well have been a single sqlite file. I'm actually maintaining one
right now that, although relatively important, will only ever be a single box.
But sqlite wasn't 'enterprisey' enough, had to use PG. For a couple of tables.

[https://www.sqlite.org/whentouse.html](https://www.sqlite.org/whentouse.html)

Subscribe for my next rant on another underused piece of tech... Lua :)

~~~
nneonneo
sqlite3 is now very heavily used in the Apple ecosystem - all of Core Data is
built on it, and many of Apple’s own apps use it to store all kinds of data.
It’s a godsend for tinkerers like me too - just point the SQLite CLI at one of
the internal DBs (like the Photos database) and all sorts of cool stuff comes
spilling out.

For on-disk document storage I think Apple mostly uses a mix of plain folders
with magic extensions (“packages”) and ZIP files nowadays, although there are
definitely a lot of exceptions. SQLite isn’t that great for binary blob
storage (relatively speaking) so a folder structure is still more useful
there, IMO.

------
ferros
I wonder what the most critical (and smallest, least maintained) npm package
in the world is?

~~~
fao_
Bold of you to assume it's npm that's being spoken of :D

~~~
ferros
I was thinking of this:

[https://www.sciencealert.com/how-a-programmer-almost-
broke-t...](https://www.sciencealert.com/how-a-programmer-almost-broke-the-
internet-by-deleting-11-lines-of-code)

~~~
MisterPea
> The problem was promptly fixed, and for the vast majority of us users, there
> was no down-time thanks to caching

I don't know much about npm management, but I'm assuming it actually had
nothing to do with caching? More like most companies have pipelines and
breaking dependency changes won't reach prod.

------
rectang
Well, the first impulse is naturally to just use what's out there for free and
leave it to some other poor sap to shoulder the cost of maintenance. That puts
you ahead in the short run, at the cost of higher risk.

It takes a strong open source advocacy effort to a reach out and a
sophisticated organization to be reached, for such an organization to
recognize when it's in their interest to participate in open source
maintenance.

------
styfle
There’s a lot of different metrics to look at when determining if one should
install a dependency or not.

One such metric I found to be missing for npm dependencies was the install
size, which is why I created
[https://packagephobia.com](https://packagephobia.com)

We need more tools to help make this decision because its easy to add a new
dependency but its often hard to remove a dependency.

~~~
dakiol
I'm not sure size is a good metric here. For example, a really tiny npm
library like left pad
([https://packagephobia.com/result?p=leftpad](https://packagephobia.com/result?p=leftpad))
is something you don't want to depend on (because you can implement it in a
couple of lines), whereas date-fns ([https://packagephobia.com/result?p=date-
fns](https://packagephobia.com/result?p=date-fns)), which is way bigger than
left pad, is a library I definitely don't mind depending on.

~~~
styfle
That’s a great example!

You looked at the size and determined that it might not be worth bringing on a
small dependency when you can implement it yourself (or rather use
String.prototype.padStart).

It’s not just size alone but size of transitive dependencies.

Both examples you gave don’t have any dependencies (the publish size matches
the install size).

Take a look at some popular dependencies like request or jest and notice the
number of transitive dependencies.

[https://packagephobia.com/result?p=request](https://packagephobia.com/result?p=request)

[https://packagephobia.com/result?p=jest](https://packagephobia.com/result?p=jest)

------
cel1ne
I wonder if you could write a program that scans javascript-dependencies for
function-usage that could be replaced by suites like lodash, to find and
replace "leftpad-style dependencies".

------
KyleBerezin
Would you trust the stability of the dependency more if it was maintained by a
large company, say, Oracle?

------
dimitrios1
This is describing cURL, isn't it?

------
dependenttypes
ImageMagick is the ffmpeg of images.

------
skapadia
All I think of is Angry Birds when I see that picture...

------
gramakri
ffmpeg comes to mind

------
commonturtle
Very well put. I suspect this is one of those xkcd's that will become a
timeless classic, just like the one on standards:
[https://xkcd.com/927/](https://xkcd.com/927/).

