Reuse Less Software
9 hours ago
- #dependency management
- #software development
- #supply chain security
- The cost model for software distribution has changed, making it so cheap that automation leads to frequent supply chain attacks.
- In the past, software reuse was hard, leading to modularity research; now, reuse is excessive, causing dependency issues and supply chain vulnerabilities.
- Package managers and automated build systems enable easy distribution but also make supply chain attacks spread quickly through CI/CD pipelines.
- A proposed solution is to vendor all dependencies by including their source code directly in the project's repository, creating a firebreak against supply chain attacks.
- Vendoring increases the visibility of dependencies, reduces hidden bloat, and encourages thoughtful consideration of whether a dependency is truly needed.
- A downside is that transitive dependencies won't be shared, making deduplication harder, but this also prevents handing control of your program to others.
- Not all software can adopt this approach, especially complex systems or those with OS-level dependencies, but many small to medium projects could benefit.
- Vendoring mitigates version conflicts and unexpected bugs from automatic updates, though it may bloat repositories and require manual dependency updates.