Editing 2347: Dependency

{{comic
| number    = 2347
| date      = August 17, 2020
| title     = Dependency
| image     = dependency.png
| titletext = Someday ImageMagick will finally break for good and we'll have a long period of scrambling as we try to reassemble civilization from the rubble.
}}

==Explanation==
Technology architecture is often illustrated by a [https://www.guru99.com/images/1/102219_1135_TCPIPvsOSIM1.png stack diagram], in which higher levels of rectangles indicate components that are dependent on components in lower levels. This is analogous to a physical tower of blocks, in which higher blocks rest on lower blocks. The stack in this cartoon bears a striking resemblance to a physical block tower, suggesting the danger that the tower will lose its balance when a critical piece is removed, in this case a piece near the bottom, labeled as being maintained by a single semi-anonymous person located somewhere relatively unimportant doing it for their own unknown reasons without fame or acknowledgement. The concept of balance is not intended to be communicated by a stack diagram, making this a humorously absurd extension of a well-known diagram style.

{{w|ImageMagick}}, mentioned in the title text, is a popular, standalone utility released in 1990 that is used for performing transformations between various graphics file formats, and various other transformations.  While there are also numerous libraries and APIs for performing these tasks within larger programs, ImageMagick is so popular and easy to use that many programs use its API or just find it easier to {{w|Shell (computing)#Other uses|shell out}} to ImageMagick to perform a necessary transformation. They therefore {{w|Dependency hell|depend}} on ImageMagick, and would break if ImageMagick were to disappear.

===Background and Examples===
Taking code re-usability and modularization to its logical extreme has been a long-time tenet for programmers; programming began as a slow task on very memory-constrained systems, utilizing punch cards and days of delay waiting to discover a bug, so that reuse made things possible that otherwise wouldn't be.  Once systems became small, fast, and able to hold a lot of data, the ability to provide higher and higher degrees of automation made reusable libraries a huge engine behind the development of technology.  By outsourcing what would seem like basic functions, such as string manipulation, to other libraries, developers waste less time reinventing the wheel, so the philosophy goes (or as Beret Guy's business practices literally: [[2140: Reinvent the Wheel]]), and thus many tiny packages, many of which contained only one function, became popular dependencies. This was especially true in Unix and Linux, where an entire program is commonly used for one small task, and programs exist to tie others together into powerful shell scripts.

Node.js (a platform for JavaScript) and Python are two modern ecosystems providing huge stashes of centralized libraries where developers of the world can come together to stand on the shoulders of all the small useful libraries they make for each other, to make new ones that are more and more powerful, and also more and more prone to sudden new unexpected bugs somewhere in the dependency chain.  JavaScript was designed to be an easy to use front end scripting language, not a basic and core backend language as users of node.js's {{w|npm (software)|NPM}} package manager have made it be.  While in theory, such a system may sound good for developers who would need to write and maintain fewer lines of code, systems which are highly optimized are also highly susceptible to rapid changes. For example, the famous left-pad incident in the NPM package manager left many major and minor web services which depended on it unable to build. [https://www.theregister.com/2016/03/23/npm_left_pad_chaos/ A disgruntled developer unpublishing 11 lines of code was able to break everybody's build, because everyone was using it.]

In 2014, the {{w|Heartbleed|Heartbleed bug}} revealed a significant portion of the internet was vulnerable to attack due to a bug in OpenSSL, a free and open-source library facilitating secure communication. One headline at the time demonstrated this comic in real life: [https://www.buzzfeed.com/chrisstokelwalker/the-internet-is-being-protected-by-two-guys-named-st "The Internet is Being Protected by Two Guys Named Steve"]. The aforementioned Steves were overworked, underfunded, and largely unknown volunteers whose efforts nevertheless underpinned the security of major websites throughout the world. Randall provided a concise, helpful explanation of the bug in [[1354: Heartbleed Explanation]].

In 2020, the sole maintainer of the library [https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md core-js], used by 75% of the top 100 websites to polyfill in new JavaScript features for old browsers and depended on by tons of popular libraries such as Babel, ran over two dark-clothed drunk pedestrians, one of which were laying down, at night in Russia while speeding in front of a crossing. He quit previous jobs to be able to maintain core-js, resulting in not having enough money to settle, and he was convicted for 18 months to labor in a chemical plant with other prisoners.

Leading up to 2024, a user account going by the name Jia Tan gained the trust of ''{{w|XZ Utils|xz}}'''s (one and only) maintainer.  Over the course of 3 years, Jia Tan cleverly inserted a patch into ''xz'' that allows a remote user to gain root-level access via the common ssh protocol. This {{w|XZ_Utils_backdoor|comprised version of ''xz''}} was released in March 2024.  Another programmer, Andres Freund, found this backdoor before ''xz'' was widely distributed.

The current model of libraries and open-source development (topics which Randall has addressed extensively in the past) relies heavily on the free and continued dedication of unpaid hobbyists. Though some major projects such as Linux may be able to garner enough attention to build an organization, many smaller projects, which are in turn reused by larger projects, may only be maintained by one person, either the founder or another who has taken the torch. Maintaining libraries requires both extensive knowledge of the library itself as well as any use cases and the broader community around it, which usually is suited for maintainers who have spent years at the task, and thus cannot be easily replaced. Thus, there are many abandoned projects on the internet as people move on to greener pastures. Far from the days of backwards compatibility, that's usually not a problem, unless a project happens to be far up the dependency chain, as illustrated, in which case there may be a crisis down the road for both the developers and the users down the chain.



==Transcript==
:[A tower of blocks is shown. The upper half consists of many tiny blocks balanced on top of one another to form smaller towers, labeled:]
:All modern digital infrastructure

:[The blocks rest on larger blocks lower down in the image, finally on a single large block. This is balanced on top of a set of blocks on the left, and on the right, a single tiny block placed on its side. This one is labeled:]
:A project some random person in Nebraska has been thanklessly maintaining since 2003
	
{{comic discussion}}
[[Category: Programming]]