mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Valliere <john...@apache.org>
Subject Re: Q: SSHD - Should we add dependencies to Apache Commons or not ?
Date Fri, 17 Aug 2018 11:44:53 GMT
Code which was already made shouldn’t be an issue unless it is full of
bugs.  We should be careful when trying to replace existing code with
external libraries because there is rarely a guarantee that it will work
exactly as the old code does.

Dependencies create problems when the dependent project decides to slightly
change the behavior of X class (for some reason) then our project starts
showing random bugs every 16 hours because of it.

For example, we may have a Compare<> which violates the contract because
(A) is not always greater than (B).  This violation works fine in QuickSort
but causes MergeSort to explode with Exceptions in very rare situations.  A
dependency could decide that MergeSort was better/faster and change without
us knowing causing very random bugs to show up in production systems with
our code.

We have to fix bugs in our projects and support the code in the
dependencies.  Unless the dependent code is huge (like Bouncycastle), I
think it rarely works out as a energy-time-saver.

On Fri, Aug 17, 2018 at 3:48 AM, Lyor Goldstein <lgoldstein@apache.org>

> >>>  Of course, it's all about the size of what is copied. At some point,
> it
> would be better to go witha third party dependency instead of copying
> its code.
> Valid observation - we will need to "weigh" the amount of copied code and
> see how "heavy" it is.
> >>> On important aspect of adding external dpendencies is that it' binds
> ou users,
> unless they use OSGi.
> I am not clear as to what this concern actually raises. SSHD has at least
> one mandatory dependency (*slf4j*) and at least 2 others that are very
> likely to be used - *Bouncycastle* (the code can work quite smoothly even
> without it, but many consider it very useful) and *EdDsa* (optional as far
> as SSHD is concerned, but effectively *must *have for users who require
> EDDSA keys support). So what does it matter if instead of 1, 2 or 3
> dependencies we have 5, 6, 7, or even 10 ? How does this require OSGi ?
> Isn't Maven/Gradle dependency mechanism good enough ?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message