Oh this brings back some fun memories. I worked with QNX for the ICON computer at Cemcorp and ESP Educational Software Products.
The OS was so clean but it lacked a lot of basic tooling. Back then there was no GUI or even a graphics library. We had to build or port a lot of things, including a VCS, from scratch. My editor of choice was JOVE (I couldn't get Emacs to build). I remember digging up various papers on graphics and creating our first graphics library.
Please see my other reply about network costs. Bandwidth is a real cost that does not currently show up on the balance sheet because of Fastly's generous donations.
That said, I would love to see more organizations implement private staging repositories for their upstream package supply. This is where they can and should apply policies to protect their applications.
Developing a single multi-protocol or even multiple open source caching proxies will cost real time and money. I'd love to see more solutions here but at this stage it will take more than a few volunteers and a "PRs welcome" in the README.
If the costs were all bandwidth related I would agree. Most open source package managers benefit from Fastly's generous donation of credits. Even if one ignores the single-provider-point-of-failure risk, the reality is that the development and operational costs of running package managers is much more than just networking bandwidth and more is needed.
Package managers are the app stores of software development. They are essential to the developer workflow and are key points of leverage with regard to supply chain security. They will be even more critical as AI-based development expands.
The root-cause problem is that package managers are funded like charities when they should be operating like non-profits. Their costs scale with usage but their donation-based revenue is dwindling. This problem has been partially masked by generous infrastructure donations but the operational costs are not just network and compute. There's a lot of security engineering development and ops in running a package manager service.
There are three major types of risk in software supply chain:
- Correctness. Does the source have flaws (or backdoors) that allow it to be exploited.
- Integrity. Was it tampered with from source to binary (typically to inject intentional flaws or backdoors)
- Availability. Is it available for use in a build.
This last one is often ignored. It's less sensational and "nothing ever goes away from the Internet, right? Right???"
There are all kinds of nasty examples of dependencies going away. The two big patterns are:
- Infrastructure availability. That's this case and yes, CDNs are a nasty point of failure. Wanna guess how many package managers depend on a single CDN?
- Intentional delisting. This has happened often enough over the past few years. When the package maintainer throws their toys out of the pram and either removes the package from public access or effectively zeros it out. This can happen to the source too (hello colors.js)
The ideal is to have your build process be hermetic, not just from when you kick off the build but over a longer period of time. At the very least have an artifact management solution that you control as a caching proxy.
I'd like to see the major cloud providers caching all the major package repos inside their networks.
I'd also like to see multiple CDNs for every major package ecosystem.
I didn't see anything about the many benefits that are not typically considered income by the IRS. Most notably, health insurance represents a significant extra cost that makes that 18% advantage look a little smaller. Add in 401K retirement matching and factor in the increased risk and the advantage probably goes away.
In the US business owners can contribute far more tax free to their 401k up to $50k a year. This and other tax writeoffs can skew in favor of a small business greatly over a job. However I agree most people aren't able to do the small business
This is simply not true. In fact, working at Google will expose you to all kinds of interesting ideas and problems. Many of those problems will just sit there because Google can't prioritize them right now.
reply