social.noyu.me

how many hours of your life have you lost to being paid by a big-company employer trying to triage heuristic-based static analyser defect reports in a large c/c++ codebase? it's at least a two-digit number for me. i hope it wasn't three. i'm not sure i'd have survived four

it is incredibly tedious, exhausting work, which requires a great deal of knowledge, care, skill. it's also almost pointless. software quality is a very difficult problem. we are searching for needles in haystacks

if someone saw a glint from a corner of their eye, we were lucky

we will never have enough eyes to make all bugs shallow. we'll never find every needle in every haystack. the best we can do is try to reduce their size.

so i find you insufferable if you think the haystacks should remain large, or finding the xz needle means there's no problem

as a tangent i am also a burnt out open source maintainer and i burnt out because i cared too much about code quality

and of course when you care about quality and burn out, the end result is always just that the quality level drops. either you stop entirely and the project is forked, or you hand over to a new maintainer who can't maintain those standards as they don't have the knowledge

one of my problems is i'm very hesitant to add new dependencies. i'd prefer to write a few pages of code myself than depend on an external library. or use one that's small. at least i understand it then.

but your own code is also a liability! you probably did it wrong.

that nice, tiny, single-file dependency that replaces a huge, well-known library? it's someone's weekend project. it's not well-tested. it has a buffer overflow vulnerability in it. it didn't need to be attacked, it was faulty to begin with. you didn't actually understand it.

i don't have the answers, sorry.

@hikari I'm exactly the same