Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I consider myself quite promiscuous when trusting software but sometimes just can't. Seeing how signal desktop does 100MB updates every week, or the big ball of coalesced mud that is typescript compiler, made me avoid these. Why there isn't more pushback against that complexity?


When something complex exists it’s usually because alternatives are worse. Would you have less issues with 10MB updates? 1MB? One megabyte is a lot of text, a good novel for a week of evening reading can be less than that.


I think the concern OP has is why a lot of the updates are so large. I use signal desktop and the UI hasn't changed in years. It begs the question what those 100mb are and whether it's actually necessary.


> the UI hasn't changed in years. It begs the question what those 100mb are and whether it's actually necessary.

Signal desktop doesn't use incremental updates. Each "update" is just reinstalling the whole package. That's what those 100 MB are.

It's possible to make incremental updates with binary patches, but it's more difficult. I guess Signal have other priorities.


I believe the Signal desktop app is an electron app. That’s probably why the updates are so big, has to update the bundled browser.


Yes, but that is a choice. It doesn't have to do that.

Because, instead of "trusting" the update (or rather codebase) of a messenger, we now have to trust the complete browser bundle.


They don't have to, but question was why it takes 100mb and you got the answer.

You may additionally ask why Electron, but that's a different question after all.


That’s only formally a choice. In reality, you’ll depend on some delivery system (among many other systems) that is a part of some build/dev system that is a part of a job market conjuncture.

And all of that is completely out of your control and competence budget, unless you’re fine with shipping your first 50kb updates ten (metaphorical) years later.


Reviewing 1MB of code is a least 100 times easier than reviewing 100MB of code.


It's not going to be 100MB of code.


It will probably be more.


it takes a lot more time to understand code and find meaningful bugs than it does to read most novels


As long as the end result works and doesn't pile up install data ad infinitum on the system I wouldn't bat an eye at something that takes 2 seconds to download over an average internet connection.

What really grinds my gears is updates that intentionally break things. Sometimes on purpose, sometimes out of incompetence, but most often out of not giving a single fuck about backwards compatibility or the surrounding ecosystem.

Every few years I lull myself into the false sense of security over running apt upgrade, until it finally destroys one of my installs yet again. Naturally only one previous package is ever stored, so a revert is impossible if you ever spent more than two releases not doing an upgrade. Asshole-ass design. Don't get me started on Windows updates (actual malware) or new python versions...


What you're working on must be very sensitive if you can't trust Typescript. From my point of view, Microsoft already has VS Code and Github so...


It pulls so many dependencies and the npm situation is frequent topic of conversation here. And the hype makes it attractive target. No idea how MS and Gihub relate to that.


A few years ago some guy demonstrated how vulnerable the NPM ecosystem is but NPM chose to shoot the messenger instead of fixing the problem. Makes me think that the three letter agencies want the software to be vulnerable to make their job easier.


Can you point out some examples of NPM shooting messengers? I recall mostly silence and new security controls appearing (albeit opt in) in response to the crisis.


You say they chose not to fix it like it's a simple problem with an obvious solution


What exactly are you referring to? Specifically typescript has zero dependencies.

Generally speaking, I agree, the npm-ecosystem still has this pervasive problem that pulling one package can result in many transitive dependencies, but a growing amount of well-known packages try to keep it as limited as possible. Looking at the transitive dependency graph is definitely good (necessary) hygiene when picking dependencies, and when done rigorously enough, there shouldn't be too many bad surprises, at least in my personal experience.


Oh that must have changed. `npm install typescript` output was totally scary some year or so ago.


Typescript-the-compiler has exactly zero dependencies. But maybe that's now what you were referring to…?


I suspect it’s because developers learn from the top down. Fifty layers of crappy abstractions are invisible.


Well most developers do it for money.

The fastest way to money is to not dig too deep


interesting perspective. i suppose complex minifiers would also be an attack vector, as they don't as readily afford even eyeballing obvious deviances due to the obfuscation


And we don't even know how many lines-of-code iOS is updating behind the scenes.

Or Tesla.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: