Our Software Dependency Problem

The security of package managers is something we&#x27;re going to have to fix.<p>Some years ago, in offices, computers were routinely infected or made unusable because the staff were downloading and installing random screen savers from the internet. The IT staff would have to go around and scold people not to do this.<p>If you&#x27;ve looked at the transitive dependency graphs of modern packages, it&#x27;s hard to not feel we&#x27;re doing the same thing.<p>In the linked piece, Russ Cox notes that the cost of adding a bad dependency is the sum of the cost of each possible bad outcome times its probability. But then he speculates that for personal projects that cost may be near zero. That&#x27;s unlikely. Unless developers entirely sandbox projects with untrusted dependencies from their personal data, company data, email, credentials, SSH&#x2F;PGP keys, cryptocurrency wallets, etc., the cost of a bad outcome is still enormous. Even multiplied by a small probability, it has to be considered.<p>As dependency graphs get deeper, this probability, however small, only increases.<p>One effect of lower-cost dependencies that Russ Cox did not mention is the increasing tendency for a project&#x27;s transitive dependencies to contain two or more libraries that do the same thing. When dependencies were more expensive and consequently larger, there was more pressure for an ecosystem to settle on one package for a task. Now there might be a dozen popular packages for fancy error handling and your direct and transitive dependencies might have picked any set of them. This further multiplies the task of reviewing all of the code important to your program.<p>Linux distributions had to deal with this problem of trust long ago. It&#x27;s instructive to see how much more careful they were about it. Becoming a Debian Developer involves a lengthy process of showing commitment to their values and requires meeting another member in person to show identification to be added to their cryptographic web of trust. Of course, the distributions are at the end of the day distributing software written by others, and this explosion of dependencies makes it increasingly difficult for package maintainers to provide effective review. And of course, the hassles of getting a library accepted into distributions is one reason for the popularity of tools such as Cargo, NPM, CPAN, etc.<p>It seems that package managers, like web browsers before them, are going to have to provide some form of sandboxing. The problem is the same. We&#x27;re downloading heaps of untrusted code from the internet.

It&#x27;s an interesting line of inquiry to think about how many of these evaluation heuristics, which are all described as things a person can do manually, could instead be built into the package manager itself to do for you automatically.<p>The package manager could run the package&#x27;s test suite, for instance, and warn you if the tests don&#x27;t all pass, or make you jump through extra hoops to install a package that doesn&#x27;t have any test coverage at all. The package manager could read the source code and tell you how idiomatically it was written. The package manager could try compiling from source with warnings on and let you know if any are thrown, and compare the compiled artifacts with the ones that ship with the package to ensure that they&#x27;re identical. The package manager could check the project&#x27;s commit history and warn you if you&#x27;re installing a package that&#x27;s no longer actively maintained. The package manager could check whether the package has a history of entries in the National Vulnerability Database. The package manager could learn what licenses you will and won&#x27;t accept, and automatically filter out packages that don&#x27;t fit your policies. And so on.<p>In other words, the problem right now is that package managers are undiscriminating. To them a package is a package is a package; the universe of packages is a flat plane where all packages are treated equally. But in reality all packages <i>aren&#x27;t</i> equal. Some packages are good and others are bad, and it would be a great help to the user if the package manager could encourage discovery and reuse of the former while discouraging discovery and reuse of the latter. By taking away a little friction in some places and adding some in others, the package manager could make it easy to install good packages and hard to install bad ones.

This paper lends significant legitimacy to a casual observation that I&#x27;ve been concerned about for a long time: as the standard for what deserves to be a module gets ever-lowered, the law of diminishing returns kicks in really hard.<p>The package managers for Ruby, C#, Perl, Python etc offer ~100k modules. This offers strong evidence that most developer ecosystems produce (and occasionally maintain) a predictable number of useful Things. If npm has 750k+ modules available, that suggests that the standard for what constitutes a valuable quantity of functionality is 7.5X lower in the JS community. Given that every dependency increases your potential for multi-dimensional technical risk, this seems like it should be cause for reflection. It&#x27;s not an abstract risk, either... as anyone who used left-pad circa 2016 can attest.<p>When I create a new Rails 5.2 app, the dependency tree is 70 gems and most of them are stable to mature. When I create-react-app and see that there&#x27;s 1014 items in node_modules, I have no idea what most of them actually do. And let&#x27;s not forget: that&#x27;s just the View layer of your fancy JS app.

&gt;Is the code well-written? Read some of it. Does it look like the authors have been careful, conscientious, and consistent? Does it look like code you’d want to debug? You may need to.<p>This, 10,000x. I&#x27;ve repeated a similar mantra many, many times, and it&#x27;s one of the most important reasons I refuse to use proprietary software. You should consider no software a black box, and consider the software you chose to use carefully, because it&#x27;s your responsibility to keep it in good working order.

My personal sense, from watching developments in this space, is that we are going to have to find some way for taking on an open source dependency to be an economic transaction, with money actually changing hands. With open source, the code itself is free (in both the libre and gratis sense), but there are other places to identify value. One of them is chain of custody - is there an actual, somewhat responsible human being behind that package? Many of the most dramatic recent failures are of this nature.<p>Other value is in the form of security analysis &#x2F; fuzzing, etc. This is real work and there should be ways to fund it.<p>I think the nature of business today is at a fork. Much of it seems to be scams, organized around creating the illusion of value and capturing as much of it as possible. The spirit of open source is the opposite, creating huge value and being quite inefficient at capturing it. I can see both strands prevailing. If the former, it could choke off open source innovation, and line the pockets of self-appointed gatekeepers. If the latter, we could end up with a sustainable model. I truly don&#x27;t know where we&#x27;ll end up.

Fyi, the article&#x27;s title and sibling top-level comment by austincheney may give the wrong impression of what Russ Cox is talking about.<p>His essay is <i>not</i> saying software dependencies itself is a problem. Instead, he&#x27;s saying software dependencies <i>_evaluation_</i> methodology is the problem. He could have titled it more explicitly as <i>&quot;Our Software Dependency Evaluation Problem&quot;</i>.<p>So, the premise of the essay is already past the point of the reader determining that he will use someone else&#x27;s software to achieve a goal. At that point, don&#x27;t pick software packages at random or just include the first thing you see. Instead, the article lists various strategies to <i>carefully evaluate</i> the soundness, longevity, bugginess, etc of the software dependency.<p>I think it would be more productive to discuss <i>those evaluation strategies</i>.<p>For example, I&#x27;m considering a software dependency on a eventually consistent db such as FoundationDB. I have no interest nor time nor competency to &quot;roll my own&quot; distributed db. Even if I read the academic whitepapers on concurrent dbs to write my own db engine, I&#x27;d still miss several edge cases and other tricky aspects that others have solved. The question that remains is if FoundationDB is a &quot;good&quot; or &quot;bad&quot; software dependency.<p>My evaluation strategies:<p>1) I&#x27;ve been keeping any eye on the project&#x27;s &quot;issues&quot; page on Github[0]. I&#x27;m trying to get a sense of the bugs and resolutions. Is it a quality and rigorous codebase like SQLite? Or is it a buggy codebase like MongoDB 1.0 back in 2010 that had nightmare stories of data corruption?<p>2) I keep an eye out for another high-profile company that successfully used FoundationDB besides Apple.<p>3) and so on....<p>There was recent blog post where somebody regretted their dependency on RethinkDB[1]. I don&#x27;t want to repeat a similar mistake with FoundationDB.<p>What are your software dependency evaluation strategies? Share them.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;apple&#x2F;foundationdb&#x2F;issues" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apple&#x2F;foundationdb&#x2F;issues</a><p>[1] <a href="https:&#x2F;&#x2F;mxstbr.com&#x2F;thoughts&#x2F;tech-choice-regrets-at-spectrum&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mxstbr.com&#x2F;thoughts&#x2F;tech-choice-regrets-at-spectrum&#x2F;</a>

&gt; Does the code have tests? Can you run them? Do they pass? Tests establish that the code’s basic functionality is correct, and they signal that the developer is serious about keeping it correct.<p>This is one thing I thoroughly miss from Perl&#x27;s CPAN: modules there have extensive testing, thanks to the CPAN Testers Network. It&#x27;s not just a green&#x2F;red badge but reporting is for the version triplet { module version, perl version, OS version }. I really wish NPM did the same.<p>Here&#x27;s an example: <a href="http:&#x2F;&#x2F;deps.cpantesters.org&#x2F;?module=DBD::mysql" rel="nofollow">http:&#x2F;&#x2F;deps.cpantesters.org&#x2F;?module=DBD::mysql</a>

Modest proposal: do the opposite of everything suggested in this article. After all, if you spend all your time inspecting your dependencies, what was the point of even having them in the first place?<p>This will ensure that maximum time possible is spent implementing new features. <i>Everyone</i> on your team can pitch in to accelerate this goal. Even non-technical outsiders can give valuable feedback. At the same time, this ensures minimum time spent fiddling about in a desperate attempt to secure the system and slowing everyone else down. Besides, unless you&#x27;re already a fortune 500 company, <i>no one</i> on your team knows how to do security at all. (And even then the number of experts on your team is probably still dangerously close to zero.)<p>The software you ship will obviously be less secure than if you had focused any time at all on security. However, the utility of your software will <i>skyrocket</i> compared to what it would have been if you had sat around worrying about security. So much that your userbase is essentially <i>forced</i> to use your software because nothing else exists that even has a fraction of its feature set.<p>Sooner or later the insecurity will catch up with you. But this is the best part-- your software has so many features it is now a <i>dependency</i> of nearly everything else that exists. There is no chess move left except to sit down and somehow <i>actually</i> secure it so that arbitrarily tall stacks of <i>even less secure</i> software can keep being build atop it without collapsing like a house of cards.<p>And it&#x27;s at this point that the four or five people in the world who actually understand security step in and sandbox your software. Hey, now it&#x27;s more secure than a system built by a cult of devs tirelessly inspecting every little dependency before they ship anything. Problem solved.

Worse than package dependency is platform dependency. My code runs on top of 10 million lines of Kubernetes insanity that no one really understands, including the thousands of authors who wrote it. In theory, that means at the drop of a hat I can switch to a different cloud, kubectl apply, and presto! Platform independence. In reality, every cloud is slightly different, and we now depend on and work around a lot of weird quirks of Kubernetes itself. We&#x27;re stuck with what we&#x27;ve got.

Easily explained in two points.<p>1. Convenience at cost to everything else. Easier is generally preferred over simplicity. If the short term gains destroy long term maintenance&#x2F;credibility they will solve for that bridge when they come to it at extra expense.<p>2. Invented Here syndrome. Many JavaScript developers would prefer to never write original code (any original code) except for as a worst case scenario. They would even be willing to bet their jobs on this.

It might be that data protection regulations start to &#x27;encourage&#x27; movement in this area regards more careful consideration of the software dependency chain. If you pull in a malicious dependency which results in personal information being exfiltrated, I doubt the &quot;we pulled in so many third party dependencies it was infeasible to scrutinise them&quot; defence is going to mitigate the fines by very much.

I like (and basically agree with) the article, but I have to think it basically does a good job of pointing out the problem, and a bad job of suggesting a solution. The sheer number of dependencies of most commercial software now, and the ratio of backlog-to-developers, basically insures that the work required to check all your dependencies does not normally get done.<p>Hypothesis: it will require a massive failure, that causes the ordinary citizen (and the ordinary really, really rich citizen) to notice that something is wrong, before it changes much.<p>Hypothesis 2: after that happens, the first language whose dependency manager handles this problem well, will move up greatly in how widely it&#x27;s used.

I think object-capabilities are one way to have much safer code reuse. Suppose a dependency exports a class UsefulService. In current languages, such a class can do anything - access the filesystem, access the network, etc. Suppose however that the language enforces that such actions can only be done given a reference to e.g. NetworkService, RandomService, TimeService, FilesystemService (with more or less granularity). Therefore if UsefulService is declared with `constructor(RandomService, TimeService)`, I can be sure it doesn&#x27;t access any files, or hijacks any data to the network - nor do any of its transitive dependencies.<p>The method of sandboxing using OS processes + namespaces and what not is too heavy and unusable at such granularity.<p>The method of per-dependency static permission manifests in some meta-language is also poor.<p>The method of a single IO monad is too coarse. Also using any sort of `unsafe` should not be allowed (or be its own super-capability).<p>Obviously there are many tricky considerations. [For example, it is anti-modular - if suddenly UsefulService does need filesystem access, it&#x27;s a breaking change, since it now must take a FilesystemService. But that sounds good to me - it&#x27;s the point after all.] But does any language try to do this?

The problem I see is not in the fact the develpers choose to rely on third party software reuse and thus create dependencies, but in how developers <i>choose</i> which third party software to use. If their judgment fails, the consequences for the user can be dire.<p>For example, Google chose to reuse the c-ares DNS library for their Chromebooks over other available DNS libraries. It is maintained by the same person who oversees the popular libcurl.<p>The company issued a challenge and a $100,000 bounty for anyone who could create a persistent exploit with the Chromebook running in guest mode.<p>As it happened, the winnning exploit relied on an off-by-one mistake in the c-ares library.<p>Users are not in the position to decide which (free, open-source) code is reused in a mass market corporate product. They must rely on the judgment of the developers working for the corporation.<p>On my personal computers, where I run a non-corporate OS, I prefer to use code from djbdns rather than c-ares for DNS queries. If someone finds an off-by-one mistake in djbdns, and this has negative consequences for me, it will be my own judgment that is to blame.

The real dependency problem is that most languages give out way too much trust by default. Any code can have any side effects.<p>I&#x27;d like ways to guarantee my dependencies have no side effects, like they were Haskell with no IO&#x2F;unsafePerformIo, or to aggressively audit and limit those side effects. Malicious event stream package suddenly wants to use the network? No.

There used to be talk about how to increase &quot;reuse&quot; of software, and now that systems use masses of libraries, the down-sides of heavy but casual reuse are coming to light.<p>I&#x27;m not sure of an easy answer. Perhaps the libraries can be reworked to make it easier to only use or extract the specific parts you need, but it&#x27;s difficult to anticipate future and varied needs well. Trial and error, and blood, sweat, and tears may be the trick; but, nobody wants to pay for such because the benefits are not immediate nor guaranteed.<p>OOP use to be &quot;sold&quot; as a domain modelling tool. It pretty much <i>failed</i> at that for non-trivial domains (in my opinion at least), but made it easier to glue libraries together, and glue we did.

15 years ago adding an external module was an endeavor involving approval forms, lawyers, etc. so that it frequently were much easier just to develop required functionality yourself. These days i still shudder seeing how the build goes somewhere, downloads something (usually you notice it only when whatever package manager being used for that part of the build didn&#x27;t find the proxy or requires very peculiar way of specifying it - of course at the companies with transparent proxies people didn&#x27;t notice even that ) ... completely opaque in the sense that even if i spend some time today looking into what is downloaded and where from, tomorrow another guy would just add another thing ...

Is the package management story significantly worse for js&#x2F;node than other languages or is it just a meme? If it actually does have more issues, why? Are the npm maintainers less rigorous than, maven central (for example)?<p>Java is lucky enough to have a lot of very solid Apache libraries built with enterprise money. Is the culture different for js and npm?

&gt; Adapting Leslie Lamport’s observation about distributed systems, a dependency manager can easily create a situation in which the failure of a package you didn’t even know existed can render your own code unusable.<p>Gold right here. Makes me wonder what Lamport’s TLA+ could be used for in the problem area.

&gt; We do this because it’s easy, because it seems to work, because everyone else is doing it too, and, most importantly, because it seems like a natural continuation of age-old established practice.<p>And because we literally could not be creating software with the capabilities we are at the costs it is being produced without shared open source dependencies.<p>I guess this is the same thing as &quot;it&#x27;s easy&quot;, but it&#x27;s actually quite a different thing when you say it like this.

Dependencies are such a huge pain but I kinda liked the way we handled it when I did contracting work for the NSA years ago. Essentially we told them _exactly_ what dependencies we needed, including subdependencies, and we audited them the best we could and then we included them. To avoid this headache meant we were less incentivized to just pull in a module for every little thing and, instead, write our own where necessary or used modules that had less subdependencies.<p>I think we&#x27;re ready for a new class of dependencies. Dependencies that have little to no subdependencies. Dependencies that you can more easily audit because of fewer subdependencies.<p>Also, we need less building of JavaScript code in npm packages. Instead, let people access the raw code so they can not only do tree shaking but they can examine the code that is running versus the code that may be in git. You can still include it and minify it with your stuff. This would also mean you could have larger libraries that do more stuff because you&#x27;d only include what you use (think how many Java libraries work except you could pull out what you need).<p>I don&#x27;t think there is a good software &#x2F; npm solution. I think we need to change the way we work with dependencies entirely.

I am reminded of this gem: <a href="https:&#x2F;&#x2F;www.mikeperham.com&#x2F;2016&#x2F;02&#x2F;09&#x2F;kill-your-dependencies&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.mikeperham.com&#x2F;2016&#x2F;02&#x2F;09&#x2F;kill-your-dependencies...</a>

I ran across a great quote that sums up the situation.<p><i>...functionality is an asset, but code is a liability.</i><p><a href="http:&#x2F;&#x2F;widgetsandshit.com&#x2F;teddziuba&#x2F;2010&#x2F;10&#x2F;taco-bell-programming.html" rel="nofollow">http:&#x2F;&#x2F;widgetsandshit.com&#x2F;teddziuba&#x2F;2010&#x2F;10&#x2F;taco-bell-progra...</a><p>Don&#x27;t know if the OP came up with it himself, but he is now a candidate for the California State Senate.

I much prefer Java&#x27;s model of software dependency consisting of (for the most part) well-documented, large, feature-filled libraries distributed in an easily discoverable and maintainable manner (maven&#x2F;gradle&#x2F;...) to the dependency hell that is modern JS libraries. Hopefully newer languages like rust don&#x27;t succumb to the same trap.

Yes, that&#x27;s why I package as much stuff as I can into a hermetic Bazel build, including Python modules (and yes, I build Python programs in Google PAR format using Subpar). They&#x27;re all stored in my own cloud bucket, the entire transitive closure can be tracked down, and they don&#x27;t change underneath me willy-nilly. For C++ cross-builds I also package toolchains in a similar fashion. You could also package a toolchain for the host if you&#x27;d like, I just don&#x27;t bother. And I package test data likewise. The build isn&#x27;t 100% hermetic, but I&#x27;d say about 90%. I feel pretty good about this set-up and recommend it to others. Grabbing random packages (and worse, their transitive closures) from the internet as a part of the build sounds insane to me.

Article kind of mangles the relationship between software reuse (which _has_ been here for a long time) and specific language library, etc..management.<p>many years ago now systems administrators were tasked with providing a safe and sane environment for end user and developers by performing the exact due diligence that is described in this article. In the &#x27;move fast and break things age&#x27; all this has been thrown to the wind and everyone decries the language manager code sprawl and breakage. Of necessity enterprises revert to &#x27;immutability&#x27; as if it was a desirable and necessary deployment characteristic. This is an ugly time in IT.

The way I see it, our over-dependency (sorry for overloading the phrase) on Javascript as the de-facto web language has the pendulum far in one direction. How much longer can we keep this up? What&#x27;s the maximum capacity of a developer ecosystem before dependency-hell and framework churn reaches critical mass? This is still a complicated information system - how far can it scale? What&#x27;s the breaking point?<p>There&#x27;s so much amateur work and muddied merit-sense-making of what&#x27;s good software, who to listen to, and how to move forward - my feeling is that pendulum is just about at peak.

Along the same lines is Docker Hub. Blindly building your own images via dockerfiles that pull from others images should warrant serious consideration, especially given those images can be updated at any time.

&quot;Dependency managers can often provide statistics about usage&quot;<p>Using module usage statistics as a proxy for trust is not always a good idea.<p>For example, I confirmed with the security team of npm that they do not audit module download statistics, i.e. no detection of gaming the system through multiple downloads from a given IP.<p>It&#x27;s quite possible for a module to have 10,000 weekly downloads, all generated by a cron curl script run by the module&#x27;s author.<p>I wouldn&#x27;t be surprised if this was the case for not a few modules on npm, especially to develop trust for later exploits.

Great article.<p>Some thoughts (mostly informed from design of Buckaroo <a href="https:&#x2F;&#x2F;github.com&#x2F;LoopPerfect&#x2F;buckaroo&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;LoopPerfect&#x2F;buckaroo&#x2F;</a> ):<p>- Cost of creating a package must be low (ideally the package just lives in source control). This encourages code reuse and therefore testing.<p>- Verification of changes must be easy. Git is a great tool for this - we can review patches between versions, rather than whole versions at once.<p>- It should be easy to extract dependency graph (including transitive deps) so that you analyze who you are trusting.<p>- There must be a verifiable chain from package source to package bundle (NPM fails here, do you really know the source code reviewed on GitHub is what went into the bundle on the NPM registry)? Better yet, have no bundles at all, just source code + build instructions.<p>- Reproducible installations (usually implemented via lock-files) are critical. Many package managers have lock-files that do not actually give reproducible installs. Beware!<p>- Package builds must be isolated from each-other (otherwise one package might tamper with another; I believe this is possible in NPM packages)

This is excellent. Not only for the subject matter but the quality of writing. I often take an article like this, distill it into my own (usually fewer) words and save it as a text file. This one I kept &quot;distilling&quot; only to realize, nope, nope, the way he said it was more exact&#x2F;precise&#x2F;correct.

This is probably a prelude to a deeper discussion of the module notary service that the Go project intends to run. First announced in this post from the end of last year: <a href="https:&#x2F;&#x2F;blog.golang.org&#x2F;modules2019" rel="nofollow">https:&#x2F;&#x2F;blog.golang.org&#x2F;modules2019</a>

On dependencies:<p>There aren&#x27;t a lot of tools out there to keep you 100% up to date and to keep moving.<p>There is maven-dependencies that can auto upgrade, however, that&#x27;s just a simple version upgrade and may have issues with non-standard versioning. Also it doesn&#x27;t help with transitive dependency conflicts.<p>We need good tools to alert and stop transitive dependency conflicts in their tracks. Versions helps with this, but it doesn&#x27;t tell you much.<p>What we do need: Jenkins dependency triggers for the projects. We need something that will automatically work wtih SCM and CI to create commits based on new found dependencies. If there is something that changed your tests should confirm if it works or not.

If you can easily write a replacement for it, then the cost of depending on it is very small - because the worst case for the fix is replacing it....

Reducing the number of dependencies can avoid many of the problems, and makes it easier to examine the code, as well as less likely to cause problems (of several kinds). Many code has too much dependencies. Whether writing in JavaScript or C or something else, I will usually not use many external libraries; most commonly none at all.

I wouldn&#x27;t qualify zlib as trusted high-quality code. He really needs to look deeper.

There&#x27;s a talk from Rich Hickey about this.

I am pretty new to development, and I keep trying to prove myself wrong over my apprehension to willy-nilly accumulate dependencies just because “the time savings add up”.<p>Before starting any new project, I research and try all the existing similar projects I can find. I can predict their stability with overwhelming precision just by glancing at the dependencies, so the few projects I have built use only the most vanilla version of mainstream dependencies.<p>And another result of this observation has been that I have come to devalue the word of devs with that happy-go-lucky approach to dependency accumulation. It seems to correlate with the exaggerated optimism that persists around everything in the development community. I’d like to be more optimistic just like everyone else, but ignoring debt like this doesn’t seem like the right way to do it.

I&#x27;ll just go ahead and take the downvotes&#x2F;burial&#x2F;lectures&#x2F;ridicule whatever but I need to say it anyway. I&#x27;ve been programming for thirty years and in my opinion effective code reuse with npm is one of the greatest achievements in the history of software engineering. It&#x27;s not perfect but it should be appreciated more and the issues are being overblown.