Every conversation about dependencies since 2020 uses the same XKCD 2347 based image, which is a problem on multiple levels
Posted by jpluimers on 2024/08/01
The below picture is a modification of [Wayback/Archive] 2347: Dependency – explain xkcd
Title text: Someday ImageMagick will finally break for good and we’ll have a long period of scrambling as we try to reassemble civilization from the rubble.
It actually emphasises the problem both that [Wayback/Archive] xkcd 2347: Dependency is way too optimistic, and that everyone uses that to point out dependency issues or worse as a thought-terminating cliché .
The second problem amplifies itself by increasing the popularity of the comic, and the attracts people to use it even if they hardly know about dependencies.
In turn it diminishes the meaning of it, kind of making it more optimistic by basically amplifying the message “there is just one really fragile project our design/infrastructure depends on” (the infamous “A project some random person in Nebraska has been thanklessly maintaining since 2003”).
The sad reality is that this single fragile project is just not true. Modern development and infrastructure systems usually are underpinned by package managers installing the complex graphs of dependencies of which dozens, heck thousands are maintained for “free” by, more often than not, a single worn out maintainer per dependency.
It’s just that over the last few decades usually only one such package at a time posed a serious problem. But with dependencies on very small building blocks, the amount of blocks is rising as is their usage. Just two examples out of the Node JS world (mind you, each development and infrastructure stack lives in comparable worlds):
- [Wayback/Archive] NPM – “is-even”, 160k weekly downloads | Hacker News
- [Wayback/Archive] Expert grabs expired domain for NPM package to make a point • The Register
Mind you, these links are 2021 and 2022, so the numbers have increased.
Many think such problems are limited to programming errors, but over the last decade these have become the tip of the iceberg. The real problems now are that maintainers are fading away as they have for instance been worn out for too long, or simply are aging. So what we have seen over the last decade is the rise of supply chain attacks.
One such example was the XZ utils backdoor which was, by sheer luck because one guy tried to investigate why connecting over ssh had become much slower than before, barely detected in time. It had a CVSS score of 10.0, the highest possible score.
So be prepared that the below picture will have “your business structure” on the top, and towards the bottom a bunch of small fragile pillars with the text “many projects, each maintained by a worn out person on the verge of collapse”.
[Wayback/Archive] 75fcf87154dbbe62.png (744×956)
[Wayback/Archive] mhoye: “A modified version of the xkcd-2347 comic about dependencies that says “every conversation about dependencies since 2020”, in which the lynchpin block is now labelled “this fucking comic”.…” – Mastodon
Plain numeric link: [Wayback/Archive] Explain XCDK 2347
Thanks for this very insightful comment to the first toot: [Wayback/Archive] Clifford Adams: “@gob @glyph @ben_hr @mhoye I…” – Fosstodon
I don’t fault Randall for his comics, although maybe he should do an XKCD where he adds a disclaimer that not all situations fit any particular XKCD. (Then people could refer to that XKCD number and feel REALLY SMART.)Techbros often misuse XKCDs (or memes in general) as a kind of “thought terminating cliche”, especially the infamous 927 about standards. Just cite the XKCD and walk away–no need to consider the issues in depth.
And be sure to watch this great talk:[Wayback/Archive] “Quantifying Nebraska” – Adam Harvey (Nbpy2024) – YouTube
How can we find these projects and ensure that their maintainers get the thanks and — more importantly — the resources they need?
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment