The “system” should provide the barest minimum of libraries. Programs should ship as many of their dependencies as is technically feasible.
Oh what’s that? Are crying about security updates? Yeah well unfortunately you shipped everything in a Docker container so you need to rebuild and redeploy all of your hierarchical images anyways.
> Programs should ship as many of their dependencies as is technically feasible.
Shipping in a container just is "ship[ping] as many [...] dependencies as is technically feasible". It's "all of them except the kernel". The "barest minimum of libraries" is none.
Someone who's using Docker is already doing what you're describing anyway. So why are you scolding them as if they aren't?
I don't mind stable base systems, I don't mind slow and well tested updates, I actively like holding stable ABIs, but if you haven't updated anything in 4 years, then you are missing bug and security fixes. Not everything needs to be Arch, but this opposite extreme is also bad.
> The “system” should provide the barest minimum of libraries. Programs should ship as many of their dependencies as is technically feasible.
And then application developers fail to update their vendored dependencies, and thereby leave their users exposed to vulnerabilities. (This isn't hypothetical, it's a thing that has happened.) No, thank you.
>Oh what’s that? Are crying about security updates? Yeah well unfortunately you shipped everything in a Docker container so you need to rebuild and redeploy all of your hierarchical images anyways.
So... are you arguing that we do need to ship everything vendored in so that it can't be updated, or that we need to actually break out packages to be managed independently (like every major Linux distribution does)? Because you appear to have advocated for vendoring everything, and then immediately turned around to criticize the situation where things get vendored in.
> I don't mind stable base systems, I don't mind slow and well tested updates, I actively like holding stable ABIs, but if you haven't updated anything in 4 years, then you are missing bug and security fixes.
I'm not sure GP's claim here about the runtime not changing in 4 years is actually true. There hasn't been a version number bump, but files in the runtime have certainly changed since it's initial release in 2021, right? See: https://steamdb.info/app/1628350/patchnotes/
It looks to me like it gets updated all the time, but they just don't change the version number because the updates don't affect compatibility. It's kinda opaque though, so I'm not totally sure.
> So... are you arguing that we do need to ship everything vendored in so that it can't be updated,
I’m arguing that the prevalence of Docker is strong evidence that the “Linux model” has fundamentally failed.
Many people disagree with that claim and think that TheLinuxModel is good actually. However I point that these people almost definitely make extensive use of Docker. And that Docker (or similar) are actually necessary to reliably run programs on Linux because TheLinuxModel is so bad and has failed so badly.
If you believe in TheLinuxModel and also do not use Docker to deploy your software then you are, in the year 2025, a very rare outlier.
Personally, I am very pro ShipYourFuckingDependencies. But I also dont think that deploying a program should be much more complicated than sharing an uncompressed zip file. Docker adds a lot of crusting. Packaging images/zips/deployments should be near instantaneous.
False. The exact opposite of bad.
The “system” should provide the barest minimum of libraries. Programs should ship as many of their dependencies as is technically feasible.
Oh what’s that? Are crying about security updates? Yeah well unfortunately you shipped everything in a Docker container so you need to rebuild and redeploy all of your hierarchical images anyways.
> Programs should ship as many of their dependencies as is technically feasible.
Shipping in a container just is "ship[ping] as many [...] dependencies as is technically feasible". It's "all of them except the kernel". The "barest minimum of libraries" is none.
Someone who's using Docker is already doing what you're describing anyway. So why are you scolding them as if they aren't?
> False. The exact opposite of bad.
I don't mind stable base systems, I don't mind slow and well tested updates, I actively like holding stable ABIs, but if you haven't updated anything in 4 years, then you are missing bug and security fixes. Not everything needs to be Arch, but this opposite extreme is also bad.
> The “system” should provide the barest minimum of libraries. Programs should ship as many of their dependencies as is technically feasible.
And then application developers fail to update their vendored dependencies, and thereby leave their users exposed to vulnerabilities. (This isn't hypothetical, it's a thing that has happened.) No, thank you.
>Oh what’s that? Are crying about security updates? Yeah well unfortunately you shipped everything in a Docker container so you need to rebuild and redeploy all of your hierarchical images anyways.
So... are you arguing that we do need to ship everything vendored in so that it can't be updated, or that we need to actually break out packages to be managed independently (like every major Linux distribution does)? Because you appear to have advocated for vendoring everything, and then immediately turned around to criticize the situation where things get vendored in.
> I don't mind stable base systems, I don't mind slow and well tested updates, I actively like holding stable ABIs, but if you haven't updated anything in 4 years, then you are missing bug and security fixes.
I'm not sure GP's claim here about the runtime not changing in 4 years is actually true. There hasn't been a version number bump, but files in the runtime have certainly changed since it's initial release in 2021, right? See: https://steamdb.info/app/1628350/patchnotes/
It looks to me like it gets updated all the time, but they just don't change the version number because the updates don't affect compatibility. It's kinda opaque though, so I'm not totally sure.
> So... are you arguing that we do need to ship everything vendored in so that it can't be updated,
I’m arguing that the prevalence of Docker is strong evidence that the “Linux model” has fundamentally failed.
Many people disagree with that claim and think that TheLinuxModel is good actually. However I point that these people almost definitely make extensive use of Docker. And that Docker (or similar) are actually necessary to reliably run programs on Linux because TheLinuxModel is so bad and has failed so badly.
If you believe in TheLinuxModel and also do not use Docker to deploy your software then you are, in the year 2025, a very rare outlier.
Personally, I am very pro ShipYourFuckingDependencies. But I also dont think that deploying a program should be much more complicated than sharing an uncompressed zip file. Docker adds a lot of crusting. Packaging images/zips/deployments should be near instantaneous.
7 replies →