I have observed a sharp disconnect in the philosophies of 'improving developer experience' and 'running a tight ship'.
I think the last twenty years of quasi-marketing/sales/recruiting DevRel roles have pushed a narrative of frictionless development, while on the flip side security and correctness have mostly taken a back seat (special industries aside).
I think it's a result of the massive market growth, but I so welcome the pendulum swinging back a little bit. Typo squatting packages being a concern at the same time as speculative execution exploits shows mind bending immaturity.
I think that's a consequence of programmers making tools for programmers. It's something I've come to really dislike. Programmers are used to doing things like editing configurations, setting environment variables, or using custom code to solve a problem. As a result you get programs that can be configured, customized through code (scripting or extensions), and little tools to do whatever. This is not IMHO how good software should be designed to be used. On the positive side, we have some really good tooling - revision control in the software world is way beyond the equivalent in any other field. But then git could be used in other fields if not for it being a programmers tool designed by programmers... A lot of developers even have trouble doing things with git that are outside their daily use cases.
Dependency management tools are tools that come about because it's easier and more natural for a programmer to write some code than solve a bigger problem. Easier to write a tool than write your own version of something or clean up a complex set of dependencies.
It's not quite a straight trade; IIRC the OpenBSD folks really push on good docs and maybe good defaults precisely because making it easier to hold the tool right makes it safer.
This is obvious, the question here is why everybody traded security for convenience and what else has to happen for people to start taking security seriously.
Regarding "what else has to happen": I would say something catastrophic. Nothing comes to mind recently.
Security is good, but occasionally I wonder if technical people don't imagine fantastic scenarios of evil masterminds doing something with the data and manage to rule the world.
While in reality, at least the last 5 years there are so many leaders (and people) doing and saying so plainly stupid that I feel we should be more afraid of stupid people than of hackers.
In the last 5 years several major medical providers have had sensitive person data of nearly everyone compromised. The political leaders are biggest problem today, but that could change again.
And what is the actual impact? Don't get me wrong, I don't think it is not bad, but then again abusing information could be done already by the said providers (ex: hike insurance rates based on previous conditions, taking advantage of vulnerable people).
Society works by agreements and laws, not by (absolute) secrecy.
There are of course instances like electrical grid stopping for days, people being killed remotely in hospitals, nuclear plants exploding, that would have a different impact and we might get there, just that it did not happen yet.
The actual impact is that your private medical data is in the hands of thieves, which most people don’t want.
It’s similar to how most people are distressed after a break-in, because they considered their home to be a private space, even though the lock manufacturer never claimed 100% security (or the thieves simply bypassed the locks by smashing a window).
Agreements and laws don’t solve that problem, because thieves already aren’t stopped by those.
>the question here is why everybody traded security for convenience
I don't think security was traded away for convenience. Everything started with convenience, and security has been trying to gain ground ever since.
>happen for people to start taking security seriously
Law with enforced and non-trivial consequences are the only thing that will force people to take security seriously. And even then, most probably still wont.
I have completely soured on Dockerfiles. I view them as anathema.
The supposed "caching" of layers really doesn't work in practice unless you add a bunch of other infrastructure and third-party tooling to your build process. Getting truly incremental and reproducible layers into your build process is non-trivial, and the Dockerfile approach fails to take advantage of that work once you've done it.
A surprising downside to Nix containers is that a majority of packages are not optimized for containers. For example, trying adding a dependency to `git` and see how big the container grows. Granted, the good packages (like git) allow customization, but it requires really digging into the code. Some packages just straight up ship with a ton of bloat and the only thing you can do is basically fork and maintain it yourself.
Yeah, it's a problem on a package-per-package basis. My point isn't how to solve the git problem but that the experience can vary wildly depending on the package. It can be surprising and often comes at the expense of time trying to navigate the insanity that is nixpkgs :)
Nix is cool, but with Nix one needs to know Nix. Personally, I prefer just using scripting languages. LLM's made code cheaper, but debugging become expensive.
I think you're conflating the desires of businesses with the desires of people.
Every local shop seemed to have a Polish person on the till back then and it was a real culture shock for most. Would they have been worse off if the position went unfilled? Perhaps, but I can also say as a then teenager looking for summer work I lost access to starter jobs.
On average, I should have said. In terms of GDP per capita, budget size, etc. But or course, that doesn't mean it was uniformly better, it can't have been.
reply