Bert Hubert
๐ค SpeakerAppearances Over Time
Podcast Appearances
But on the other hand, if someone asks me to be responsible for a piece of software, and it's an important piece of software, it's not a birthday calendar. It's something that people rely on. I need to know what is in there. I need to know what I'm shipping. And if I run a modern piece of software development and I end up with like 300 dependencies, which are also included dynamically,
But on the other hand, if someone asks me to be responsible for a piece of software, and it's an important piece of software, it's not a birthday calendar. It's something that people rely on. I need to know what is in there. I need to know what I'm shipping. And if I run a modern piece of software development and I end up with like 300 dependencies, which are also included dynamically,
So at one point, I was in a situation where we said, we have to audit this software. I said, okay. And then it turned out that if you would build the software three weeks apart and you didn't change anything, it still would have changed. Because by that time, the dependencies had moved around and shifted their own dependency.
So at one point, I was in a situation where we said, we have to audit this software. I said, okay. And then it turned out that if you would build the software three weeks apart and you didn't change anything, it still would have changed. Because by that time, the dependencies had moved around and shifted their own dependency.
So I'm actually sort of hardcore in the sense that I don't think you can ship software with like... 300 dynamic dependencies. And people are still doing it, of course. But I do wonder what they're doing. And people have said, look, you C++ people or C people, you have one huge dependency, which is called your library. And you rely on your operating system for a lot.
So I'm actually sort of hardcore in the sense that I don't think you can ship software with like... 300 dynamic dependencies. And people are still doing it, of course. But I do wonder what they're doing. And people have said, look, you C++ people or C people, you have one huge dependency, which is called your library. And you rely on your operating system for a lot.
And that's also like millions of lines of code. But there you have a little bit of safety blanket that everyone relies on the C library. And so there are a lot of eyes on it. And it also doesn't change that much. And we all rely on the operating system. And lots of people are looking at that. So I... I'm sort of maybe on the low end of rebuilding my own wheels too often.
And that's also like millions of lines of code. But there you have a little bit of safety blanket that everyone relies on the C library. And so there are a lot of eyes on it. And it also doesn't change that much. And we all rely on the operating system. And lots of people are looking at that. So I... I'm sort of maybe on the low end of rebuilding my own wheels too often.
But on the other hand, I still cannot understand shipping software where you say, look, I honestly do not know what is in there because it gets determined at build time. what is in there. And maybe you could audit 300 dependencies if you would have enough, but it requires a lot of work to actually sort of even figure out who is writing all these dependencies, who owns them.
But on the other hand, I still cannot understand shipping software where you say, look, I honestly do not know what is in there because it gets determined at build time. what is in there. And maybe you could audit 300 dependencies if you would have enough, but it requires a lot of work to actually sort of even figure out who is writing all these dependencies, who owns them.
So, yeah, I struggle with this because when I tell people that I simply cannot believe that you run npm install get, I counted it, 5 million lines of code come out when you do that for the most basic product. How can you ever know what is in those 5 million lines? But apparently I'm old, apparently. And it is now considered very normal. And I know for a fact that my car has NPM in there.
So, yeah, I struggle with this because when I tell people that I simply cannot believe that you run npm install get, I counted it, 5 million lines of code come out when you do that for the most basic product. How can you ever know what is in those 5 million lines? But apparently I'm old, apparently. And it is now considered very normal. And I know for a fact that my car has NPM in there.
And I find that worrying. How do you know? Because it tells you so. There's this screen that says the copyright and the licenses and stuff. And it says, look, React is in there and NPM is in there. And I hope it's not in the driving parts of the car. I hope this is just a radio or something like that.
And I find that worrying. How do you know? Because it tells you so. There's this screen that says the copyright and the licenses and stuff. And it says, look, React is in there and NPM is in there. And I hope it's not in the driving parts of the car. I hope this is just a radio or something like that.
I hope that is the case. I hope that is the case.
I hope that is the case. I hope that is the case.
Yeah, it is. And I come from a world where people also have to develop on networks with no internet connection. And it's just basically impossible for many people to function there anymore because you try to do something and yeah, there is no internet. There is no network.
Yeah, it is. And I come from a world where people also have to develop on networks with no internet connection. And it's just basically impossible for many people to function there anymore because you try to do something and yeah, there is no internet. There is no network.
And the people that are in national security software or encryption software or that kind of stuff, intelligence agencies, they are actually in trouble because the art of developing without a fully functioning network connection That's dying out because there are lots of people that they need a runtime connected to the internet to get anything going.
And the people that are in national security software or encryption software or that kind of stuff, intelligence agencies, they are actually in trouble because the art of developing without a fully functioning network connection That's dying out because there are lots of people that they need a runtime connected to the internet to get anything going.