| 1 |
On Mon, 2020-04-20 at 16:04 -0500, William Hubbs wrote: |
| 2 |
> Your proposal seems to completely go against how the go ecosystem operates, |
| 3 |
> but if you can come up with a proof-of-concept for how it would work |
| 4 |
> without forcing a lot of busy work on us that would never get accepted |
| 5 |
> upstream, I'll take a look. |
| 6 |
> |
| 7 |
|
| 8 |
Define 'busy work'. |
| 9 |
|
| 10 |
Is doing things right 'busy work' vs taking shortcuts? Is it 'busy |
| 11 |
work' that I'm putting a lot of effort into fixing Python packages? |
| 12 |
Should I just last rite them all and tell people to use virtualenv? |
| 13 |
|
| 14 |
Is testing packages 'busy work'? I suppose it's all easier when you |
| 15 |
just silently include 240 dependencies without testing a single one of |
| 16 |
them and call it a day. Sure, you run some tests on the final package. |
| 17 |
Leaves 240 untested, some of them likely failing tests and requiring |
| 18 |
'busy work' to fix them. |
| 19 |
|
| 20 |
Is security support 'busy work'? I suppose it's all easier when you |
| 21 |
ignore them problem and let security team deal with it (except they |
| 22 |
won't). Sure, you can assume that when vulnerability is discovered, all |
| 23 |
upstreams will eventually learn of it, update their bundled dependencies |
| 24 |
and *maybe* inform people that their code might have been indirectly |
| 25 |
vulnerable (but would they do the 'busy work' of discovering whether it |
| 26 |
affected them or not?). |
| 27 |
|
| 28 |
I realize Go is not isolated here. It's just brought as one major |
| 29 |
example. Rust is no better. All these shiny 'write and forget' |
| 30 |
languages share the same problem. Pay for some work hours, get |
| 31 |
a working product, deploy it and forget unless customers want more |
| 32 |
features. |
| 33 |
|
| 34 |
Today these languages are still young and the problems can be considered |
| 35 |
largely theoretical. But some day -- well, unless all the cool kids |
| 36 |
manage to move on to next shiny new language before then -- this will be |
| 37 |
a major catastrophe. |
| 38 |
|
| 39 |
-- |
| 40 |
Best regards, |
| 41 |
Michał Górny |
Archives