Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

this really feels like one of those roundabouts that CS/IT does.

"every program the system runs depends on library foo, so why is this loaded into memory x times? Let's load it once and share it"

"there are 10 versions of library foo, none of them are backwardly compatible. Every application loads its own version of foo. There are now at least 5 versions of foo in memory at once. Why is the OS trying to manage this? We should statically link every application and stop worrying about it"

This has already gone back and forth at least once since I started working in the industry.



I think Unison's core concept[0] is the right way to address this: content-addressable packages/libraries. You can then get the best of both worlds - apps that need the same version of a dependency automatically share it, instead of duplicating it, but there's no chance of mistakenly substituting incompatible versions (barring a hash collision).

What about when a security vulnerability in a shared library is found? Each dependent app would need to be explicitly changed to accept the patched version, once compatibility has been established. The problem with trying to force-update all apps by patching the sole version of a shared dependency is that it may break some apps. This runs afoul of the maxim "security at the expense of usability comes at the expense of security." At best, you end up with some hacky dependency-management system, at worst the patch remains all-or-nothing so that the slowest apps veto the update.

You can also imagine that the list of versions of a shared library could be maintained in an implicitly declarative fashion, so that old versions with no dependent apps could be garbage-collected using reference-counting.

[0]https://www.unisonweb.org/docs/tour/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: