Remix.run Logo
gwervc 14 hours ago

> package management belongs to the os

It clearly doesn't except if you're a fan of dll hell and outdated packages.

bluGill 11 minutes ago | parent | next [-]

Window's package management is famously bad. However bugs in their implementation cannot be used to shoot down the concept.

beeflet 13 hours ago | parent | prev [-]

the solution to DLL hell is to patch the applications to all use the same version of the library.

FridgeSeal 13 hours ago | parent [-]

Oh but of course!

The solution to…a problem created directly by a specific approach is to…do even more work ourselves to try and untangle ourselves? And just cross our fingers and just _hope_ that every app/library is fully amenable to being patched this way?

Alternatively, we could realise that this isn’t really feasible at the scale that the ecosystem operates at now, and that instead of taking an approach that requires us to “do extra work to untangle ourselves” we should try and…not have that problem in the first place.

beeflet 12 hours ago | parent | next [-]

I don't think it's unreasonable to have a system where every program uses the same version of a library.

>And just cross our fingers and just _hope_ that every app/library is fully amenable to being patched this way?

It requires some foresight in designing the application, and whether or not you even choose to use that application in the first place. We should strive to decrease the complexity of the system as a whole. The fact that packages are using different versions of the same library in the first place is a canary and the system should disincentivize that use case to some extent. Using static libraries or a chroot or a sandbox for everything is sweeping the problems under the carpet.

>taking an approach that requires us to “do extra work to untangle ourselves” we should try and…not have that problem in the first place.

I would prefer a system that allows you to link every application to the same library as a default, but also allows for some per-application override, perhaps by using symlinks. That would cover the majority of use cases. But I do not think that dynamic linking is generally in vain.

In my own projects, I try to rely on static linking as much as possible, so I understand your perspective as a developer. But as a user I do not want programs to have their own dependencies separate from the rest of the system.

jcelerier 9 hours ago | parent | next [-]

> I don't think it's unreasonable to have a system where every program uses the same version of a library.

I really think it is. Even at the scale of a single app it may sometimes make sense to have multiple versions of a same library, if for instance it implements a given algorithm in two different ways and both ways have useful properties

lodovic 5 hours ago | parent | next [-]

I have seen this (linking with multiple versions of the same library) for maintaining backwards compatibility, for example to support parsing a data file from a previous version, but never for selecting different algorithms.

uecker 8 hours ago | parent | prev [-]

Then shouldn't these APIs be exposed as different libraries?

FridgeSeal 12 hours ago | parent | prev [-]

Could a more streamlined “conception” of something like Gentoo fix this?

Applications ship their lock files + version constraints. Gets merged into a user/os level set of packages. You update one package, OS can figure out what it has to rebuild and goes off and does that.

Still shit-out-of-luck for anything proprietary, and it’s still super possible for users to end up looking at compile failures, but technically fits the bill?

palata 3 hours ago | parent | prev [-]

> The solution to…a problem created directly by a specific approach is to…do even more work ourselves to try and untangle ourselves?

The solution is to be more professional. DLL hell comes from libraries that break compatibility: serious libraries should not break compatibility, or at least not often. Then when they do and you happen to have the issue, it's totally fair to go patch the library you depend on that depends on the breaking lib. Even in proprietary software.

The modern way is to use ZeroVer [1] and language package managers that pull hundreds of dependencies in the blink of an eye. Then asking that people compile everything themselves or use the one system deemed worthy of support (usually Windows and the very latest Ubuntu). And of course not caring about security one bit.

[1]: https://0ver.org/