Well... if you look at it like that, package managers help in the misuse of dependencies, but aren't the cause of the problems. I like package managers in general because they indeed make installing software and using dependencies easy. The one thing I DON'T like is that your software is installed or built from stuff gathered from over the entire internet, often without the option to save those downloads and reuse them, and if something changes, everything breaks. (The "stub installers" that are so popular nowadays are in the same boat. You start an installer, and it then downloads 4.5 GB of software when you just tick "C++ build tools". I'm looking at you, Microsoft.)Ras wrote: ↑Sat Apr 25, 2020 1:09 amIn a way, they are - because they make dependencies "easy". The consequence is that people use them nilly-willy so that package managers create dependencies, and lots of them recursively. That's the same in every such ecosystem. You install some small package under Linux, and before you look, 120 packages are installed. You type NPM for "hello world", and 95 GB of JS trash get downloaded, then compiled for 7 days, and you end up with "only" 2 MB of JS code by nobody knows whom from all over the world.
Search for the npm "leftpad fiasco" if you want to read an "entertaining" story. In short, some dude wrote a 10 line function to pad strings and numbers with some character, from the left and put it on the npm site. It got used in some HUGE world-encompassing projects; not used immediately probably, but through the dependency tree. At some point the guy got into an argument with the company maintaining NPM, and then removed his function from the registry. Half the internet and javascript/typescript world was broken for a few hours...
I have to look into Cargo's new "Vendor" option. It allows you download all the dependencies your program needs, and then stash them somewhere, so you don't need the internet to compile your program.
I think that this is a real problem for a systems programming language. Dependencies in C and C++ are a hell; if you download some source code, you may never now what you're going to find because often, the dependencies are not in the repository. You'll have to scour the internet for just THAT version. Something like Cargo makes that much easier IF crates depend on specific versions. If they are configured like "Just use minimum version such-so to satisfy my dependencies", then it WILL break at some point if not maintained.Now with websites, nobody cares whether the project will even build three weeks from now because by then, the whole website tech stack will have been replaced by one of the 200 new JS frameworks that will have appeared by then. Mozilla is part of this "move fast and break things" culture because nobody needs to build a three years old browser full of security holes. Even Mozilla's ESR cycle is just one year. It's the culture of an ecosystem that has neither use for nor appreciation of longevity.
I've tried several chess engines written in Rust, and ALL of them have compilation problems because they depend on obscure unmaintained crates, or on just THIS experimental feature that just existed in THOSE three versions of Rust nightly and then got dropped.
The one reason I chose to do embedded software (for which there isn't a huge market anymore in the Netherlands compared to front-end and back-end internet work...) is because I can write a piece of software, and then have it exist for 20 years.
=== Some musings about longevity of software and the future. Skip if you're not interested. ===
I'm completely convinced that if there is ONE language in the world right now that COULD displace C at some point, it's Rust. The only reason why it probably won't, is because other languages such as Go are backed by huge corporations. And Microsoft has been experimenting with Rust, and they like it... instead of helping to improve it, they have started a similar language called "Project Verona". If that one ever lands, and MS positions it as a successor to C# and Visual C++, then THAT will be the new systems programming language for computers... for Android it'll be Go (because of Google), and Swift for iPhones (because of Apple). And C. Because some hardware is just too small to be able to run anything else but C.
I've decided to port my engine from Rust to C after it is finished. The programming paradigm used in Rust ("functions that work on structs", or "pseudo-object oriented programming") is very common in the C-world, and was what I've used often in the past. Therefore Rust was a natural fit for my coding style, and porting my engine to C will probably as easy as just typing the code again, 1-to-1 with some tiny changes to accommodate C. Then I'll maintain the engines next to one another.
The only reason why I'm doing that is just to have two sister engines in different languages. Maybe I'll even port it to FreePascal or Ada somewhere in the future... but it will NEVER be ported to Go. (Or any version of C#.) If it has a garbage collector, I won't be using it for personal projects, ever. These languages are too slow.
All of the 90's and 2000's things are on a decline, or being changed to what came before. What I mean is that, in the 90's and 2000's, we went to dynamic languages, almost without types (PHP, Javascript, Python...) and now, after software in those languages gets bigger and bigger, it is discovered that it's not maintainable or extendable. PHP now has type hints. Javascript is evolving into Typescript. Python has type hints. And so on... Even though C "won" in the 70's and the 80's because of raw power, and dynamic/loose-type languages "won" in the 90's and 2000's because they were easy to get started with, the language that actually gotten it right were Ada and Pascal: super strong typing (even stronger than Rust in some places), and fully static.
This is the reason why Ada is used in the automotive and aerospace industry.
Structured Text is used in PLC and factory/industrial programming; it basically is a standardized derivative of Pascal.
If you could add memory and thus thread safety to these languages, they'd be on par with Rust.
Raw power + memory safety + thread safety + no garbage collector (in whatever language) is the only way forward, IMHO. Some companies are porting their Node.js/Typescript and Python code bases over to Rust, and seeing multi-million dollars of savings per year, because the CPU- and memory requirements they had when running on cloud platforms dropped by like 80+%.
Why Discord is switching from Go to Rust
So Discord started out with a modern language... and it still switched to Rust, because Go is not fast enough and not safe enough. Imagine if you're coming from C#, or even Javascript or Python. As I said... a language such as Rust (but it doesn't necessarily have to be Rust itself...) is the only correct way forward.