How about: commit your dependency lockfiles, make sure they use content-addressing cryptographic checksums like Cargo.lock does.

This is also needed for both reproducible builds and SBOMs.

If you commit the actual source code you're making things worse, because it makes coordinated source code review efforts a lot harder. Also patch management with actual vendored source code is terrible.

Vendor or fork?

It mostly doesn't work like that even for closed source in DoD. They have to weigh the risk against the very high cost of mitigating the risk. Their resources are large but not infinite.

Even if they trust the developer they may not trust their process. There are many cases of trusted developers having their development environments compromised such that bad actors were able to insert modifications into source trees, in commits signed by the developer. Most code is not developed in anything remotely resembling a high security context.

Damn, what country is this in? Maybe the US could learn a thing or two from this level of attention to detail.

I think you're seriously overestimating the amount of work the DoD will use... It really depends on what you are working on and where it will be used. I've worked on govt adjacent, military and banking projects... The most locked down in terms of packages I can use have been banks. In one case, a lawyer had to review (mostly licensing) every package that got added in to the local npm mirror for allowed internal use.. and another review for every version bump. Then of course, the (one) guy retires and there's no reviews for a month (so much for the launch date).

I've also been in a sealed environment, where I literally had to hand copy jQuery from an internet connected computer on one side of the room to an internal dev computer on the other side of the room... no disks, usb drives, etc allowed. That was a few days of "fun."

> DoD would not have used the package if ...

That's a lot of faith in military intelligence.

I don't know where you're working, maybe you work in some secret lab where everything is air-gapped and not even the pigeons are allowed within a mile of the facility. In which case, what the hell are you doing commenting on a public message board?

That is absolutely not how DoD works. The vast majority of code is contracted out. Nobody from DoD side is reading any of the code. It's all a series of affidavits and audits for configuration management process. Vendors assert everything's cool. Failed audits lead to fines or revocation of access. And the audits check up on documentation and config. They don't dig into code.

At no point in time is anyone, anywhere, in this process reading every single line of code. Not even A single line of code. I doubt they even read the Software Bill of Materials we're supposed to generate, because I've never heard any feedback on any of it.

Definitely seen this a lot in the JS/NPM ecosystem... You go searching for a module that does $thing... you find about 10, you sort and look at say the 3 most recently published an the 3-5 most downloaded/popular... is the repo open (github, usually), are there a lot of old issues left lingering with an old last publish date? Might take a passive look at the codebase to see if I can grok it and fix any issues I find if needed.

Choose what I feel is the best option. Trying to avoid dead packages, but not afraid to deal with older packages if they aren't just stale, but functionally complete. The shift towards ES import statements and TypeScript defs has also influenced my selection process.

I've seen plenty of cases where either a fork or new option effectively takes over. A lot of people are leaning towards Zod over Yue or Hono over Express. There's instances where the dev goes off the rails like with Faker and the community comes together to fork a solution.

All of the above examples definitely happen in practice. I'm guessing many packages all over the place have replaced various dependencies over the years.

This is theory

I think this is in the realm of a YouTube series. I mean, what's stopping you from doing it?

You should pitch this to David Gelb / whoever is responsible for Chef’s Table on Netflix

No, but I would happily pirate that.

Not sure if you know or not, or if it matters anymore, but someone eventually made a fix for this.

https://github.com/DirkoAudio/ASIOLinkProFIX

I've been using it for over a year on Windows 10 and it works great.

I suspect this is the case for the majority of open source software. I have a handful of tiny projects. I don't think anyone will keep them alive after I die. But I guess we should make a distinction based on popularity or something. My top four projects have only 675, 363, 122, and 96 stars.

I don't think this is a good example though as the "sordid" part also made the project toxic for anything that might have otherwise chosen to take it on.

IMO, it has a lot to do with usage and the availability of alternatives. With ReiserFS, there were a lot of alternatives, both available at the time or announced shortly. While ReiserFS pioneered a lot of ideas, many of them showed up in alternatives fairly quickly. TempleOS is had a pretty limited user base.

I’ve seen many projects in the Clojure ecosystem get picked up and maintained by other folks. The key was always that the projects had an established user base of some notable size and something distinctive about them that made switching to other alternatives less desirable than continuing to push forward with a new and possibly more mundane maintainer and feature schedule. I’ve also seen a lot of “abandonware.”

So, it’s a bit of a mixed bag.

Reiserfs died because alternatives, like ext3/ext4 and btrfs, became readily available.

TempleOS has a fork called ZealOS. Terry Davis really was the "Wesley Willis of programming", and he had friends and fans worldwide, some of whom have taken up TempleOS development under the ZealOS banner.

Definitely varies with language/runtime/library choice. I have no problem using a clojure library that hasn’t been touched in 5 years. But back when I had a gatsby site (static site generator for react) I would end up in the dependency hell after literally a month of not touching it

Under a microscope, maybe.

But if you had a "perfect" piece of software that used Log4j in 2020, it wouldn't have been perfect for long.

Unfortunately, there's a lot of reasons that software needs maintenance, even if it was thought to be perfect when it was originally written.

Hardware changes. The software landscape changes. Dependencies are deprecated, or are found to have their own problems. Vulnerabilities are discovered. Vulnerabilities are found that aren't even the fault of your software, maybe they are a flaw in the hardware your software runs on, and the only way to fix it is via a software mitigation. These are all real things that happen to otherwise perfect software.

That is a hysterically wrong statement.

It is true of Solitaire, Minesweeper, Calculator, and Notepad, and probably about the same number of programs on other OSes. (Notepad has recently had an important expansion of functionality, but it didn't NEED that change.)

It's also true of some dinosaurs I have on my system, that copy DVDs and so forth.

It's not true of most other applications, nor can it be true, unless the app works in a sealed, unchanging environment.

Even then... Voyager 2 recently required a software upgrade, IIRC.

Nicely said, but the reality is that no software is "perfected", just abandoned.

Hell, even sysvinit had some big updates recently.

Maybe we need a Linux distro based on "inactive" software and look how reliably it performs.

LOL. As soon as Python 3.8 is deprecated/replaced by Python 3.9+ in most systems, python packages that depend on old APIs become useless until updated. Any half decent software engineer understands this.

Can you provide an example?

A perfected software that had existed >5 years with zero updates, tweaks, ports, or fixes?

You'd think so, but you make something then it doesn't work on a new version of windows, or it doesn't work on a new version of python because one of your dependencies isn't available for that version of python, or it doesn't work on linux if it doesn't have a specific version of packages, or it doesn't work on the browser because they're ditching manifest v2, or it doesn't work on android because you need to provide more personal information or your app will be unpublished.

At this point I have a feeling "perfect" software only exists in hardware like consoles where updates just stop one day.

> The DoD is a huge organization

That's an understatement if there ever was one.

https://en.wikipedia.org/wiki/List_of_largest_employers

There's a reason it's the largest budget item outside entitlements. There's a lot of money flowing into DoD (and Military Industrial Complex vendors).

Come on, tell me you don't want a pony!

Just because? I don't think so. I remember the reasoning being provided.

> Linus was a pioneer

Being a Young Pioneer or joining the Komsomol was not officially mandatory, but it functioned as a gatekeeper for any kind of advancement. Party membership operated the same way.

So, by themselves, they don't tell you whether the person in question is a communist.

I don't think Russia (or China, either) has been truly communist, in a long time.

Not sure there are any real communist nations left. It's one of those ideologies that looks good on paper, but falls apart, as soon as humans get added to the soup.

Idealists never seem to account for base human nature.

Not anymore, but that was not always the case. He just has an extremely strong will, and a force of personality, that was able to shepherd the project through its nascent challenges.

I have founded fairly important projects (nowhere near on the scale of his work, though), but I don't have the force of personality he does, so tossing the keys to a new team, and walking away, is what worked for me.

I feel like you’ve missed the sarcasm here and zeroed in on correcting PC. Good old HN

Fair point, I glossed over that part a bit fast.

It does go in the direction I thought it would though. I'd be curious to see (or to take) a look a little deeper at what those thousand of packages are.

I wish I could +1 this many times over. Mozilla and Wikipedia are two great examples of this... so much of the expenses are diverted to busy work and so much less to the added value to society.

It is funny how you recognize the "breadtube trap", yet you are so invested in the "no alternative" ideology.

leftpad was a minuscule project that could have been created by anyone. Yet its deletion caused chaos. There are certainly load bearing projects of moderate complexity that are still single person efforts.

I have couple open source NPM packages I develop together with other developers. In some of this packages I have less than 50% contributions in code. But I listed as contributor on NPM, just because I found this packages and did not update contributors list a long time.

So definitions does not matter when stats that author refers, does not include a developers who own over 50% code in repo, but includes me as contributor.

That's widely known problem of programmers to believe that world is perfect and all data are always actual. Actually it won't.

> If who wrote some code matters to you, then your supply chain management is simply insufficient.

I am not following. Source country is absolutely a thing when certain industries look at open source. That’s what Hunted Labs does

The real concern isn't the nationality per se, it's the vulnerability to blackmail by the state that has jurisdiction over you. It's not a matter of personal responsibility, but nevertheless it has to be accounted for.

For example, I am an American citizen, but I have extended family in Russia, and I would fully expect a place like DoD to be wary of that solely on the basis that it makes me susceptible to blackmail by Russian govt agencies by threatening my family.

Not necessarily, Australia has a law allowing the government to compel software devs to add backdoors and gag them to prevent people hearing about the backdoors.

https://scarff.id.au/blog/2023/state-actors-can-add-a-backdo...

Many of them don't live in Russia.

Some of the best engineers that I've worked with (in the US and Europe) are Russian. I've also been quite impressed with other former Iron Curtain developers. A lot of Chinese folks I've worked with have been good.

I know that some nations are known for threatening the relatives of expats, to get them to work on their behalf. Not very nice.

But state-sponsored Russian (or other nations, as well) is definitely something to be concerned about. I suspect a number of folks are concerned about the influence of American programmers. The CIA is known for using fairly innocuous employees of NPOs. My father was one.

they would probably still fake their identity to hide their tracks.

They're also from Great Britain which seems to have the most irrational hatred for everything Russian.