1. 8

  2. 2

    One thing lacking from the main article is a discussion of the bugs caused by OS provided dependencies. The best example that I can think of is a WebView based game for Android, which, concurrent with an OS WebView update, no longer renders correctly. Bringing dependencies in house allows developers to deliver a better user experience, by virtue of closer control.

    Maybe a viable compromise would be to relax the no-bundle policy, but still require packages to declare their dependency versions in package manifest. This way, when the package is running with an out of date library, it can be red flagged by the OS automatically.

    1. 2

      I actually liked the proposal to only accept it when it is a “none critical path” application. Too bad it seems gone… whether or not it easy to ‘unbundle’ says something about the maturity and quality of the software. If it is hard, the software is likely badly designed. Dependency hygiene is very important.

      If developers consider using high quality dependencies that provide semantic versioning (http://semver.org/) the work required to unbundle is minimal and it wouldn’t be a problem at all. But once you go down the road of depending on a master or even development branch of a dependency for your released software, or worse, just copying it in your source tree, modify it a bit, without any reference, it becomes a nightmare.

      I think considering packaging your software for a distribution and following their guidelines actually forces you to think more about the design of your application and the use of dependencies. If you feel the cost of depending on shitty libraries you are less likely to fill up your dependency list with 100+ dependencies with various maturity levels and restrict yourself to using high quality, already packaged, dependencies and write the 3 lines of code you need from library X, Y and Z yourself.

      1. 1

        nix nix nix nix guix guix guix guix

        It just feels like we have the “right” answer sitting in front of us, and these larger distros either largely ignoring it (fedora here) or using huge disk images with each package and not exposing their dependencies (ubuntu / snappy).

        1. 1

          Could you explain how that solves the problem in question?

          1. 1

            The concept of even needing to bundle is completely eliminated when you can trust that you can depend on a very specific version / edition of software, regardless of what other versions exist on your system.

            Nix and Guix both have extremely good systems for eliminating the type of “library” problems that this article is concerned with.