How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript (theregister.co.uk) 480
An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.
So, in summary (Score:4, Insightful)
So, what have we learned?
External dependencies are unsustainable;
JavaScript is unmaintainable;
Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable.
Re: (Score:2, Insightful)
Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable
This is the state a *lot* of open source projects are in. Dependency trees that make windows dll hell look sane. We have cranked out thousands of packages like this. Tons of people writing things to get 'resume cred' then immediately forgetting about it after they get a job. The code lives on as a zombie with no one really digging in and taking a look at it.
Then this litt
Re: (Score:3)
I think the Kik guys deserved to have a sharp spike "kiked" (sic) up their asses. You really think they look like good guys for threatening an open source developer who probably never wrote an IM client in his life?
JAVASCRIPT NEEDS TO GO! (Score:3, Insightful)
It's fucking unbelievable how much trouble JavaScript has caused for so many people.
Let's ignore how fundamentally broken it is, as a programming language, in almost every respect. That includes its fucking awful type system, its total lack of real OO (sorry, prototypes are complete shit), its ultra shitty standard library (which is why NPM and this problem exist in the first place), and similar problems.
JavaScript has allowed too many unskilled cranks to shit out way too much broken code. It was one thing
PLUMBING NEEDS TO GO! (Score:5, Funny)
It's fucking unbelievable how much trouble plumbing has caused for so many people.
Let's ignore how fundamentally broken it is, as a technology, in almost every respect. That includes its fucking awful historical association with toxic lead, its total lack of real modularity (sorry, reservoirs are complete shit), its ultra shitty set of mutually incompatible pipe sizes, materials, and connections (which is this problem exist in the first place), and similar problems.
Plumbing has allowed too many unskilled cranks to shit out way too many leaky pipes. It was one thing when they did it in Ancient Rome, where it was isolated to a fountain in the town square. Now it's being done in people's houses, and it's a motherfucking disaster!
Worse, plumbing has enabled the for-profit water supply industry. Plumbing makes it trivial for them to track every drop of water you use. If you don't want to fall victim to it, then you have to waste your time turning off a bunch of valves, and digging wells everywhere.
Plumbing needs to go.
If you really need to use a water delivery technology, use a river, or a pond, or even a goddamn barrel . All three of them are better than plumbing in every way.
Re:PLUMBING NEEDS TO GO! (Score:5, Informative)
Do you work in the water industry? This is actually spot on!
It's so bad we don't even know where half the damn pipes are. We know where the ends are, but if there is a leak in the middle we are fucked. Even in the best countries 25% of the water leaks out, and in some places it's over 50%. Even better, the last 20% just isn't even worth fixing... If a leak is costing the company 5 bucks a month, they ain't gonna send someone to dig up the road and fix it.
Re: (Score:3)
I'd almost rather deal with Javascript. Almos
Re: (Score:3)
unfortunately for you, the rant against javascript was not equivalent to a rant against plumbing, it was equivalent to a rant against using plain cardboard for pipes rather than, say, copper or stainless steel or plastic.
Re:It's the "Hipster False Switcheroo" fallacy! (Score:4, Informative)
Yes, it's the Hipster False Switcheroo Fallacy. Also known as satire.
"Mr. Swift, cease this frippery at once! I fail to see what infant cannibalism has to do with wealth inequality and class relations in Ireland!"
And how dare you, sir or madam or other. I'll have you know I've put countless man-or-woman-or-other-hours into my artisanal gluten-free bread.
Also, how dare you, Slashdot! Putting a squiggly red underline under "artisanal" in 2016. This is disappointingly regressive!
Re: (Score:3)
JS/Node/NPM are the new PHP.
Re:JAVASCRIPT NEEDS TO GO! (Score:5, Insightful)
...and Docker is the new Solaris Zones. Err, okay?
The point isn't that node.js sucks (personal opinion - it kinda does when mishandled, just like PHP), it's that like any tool, you have to use it correctly and try not to make it do shit that it wasn't designed to do.
We see this shit in Puppet-land, where so-called DevOps people rely on external github (not puppetforge, but random github) modules to run their servers. They never pull a local copy, but instead use something like Librarian [github.com] to pull it in dynamically... never realizing that if the guy maintaining $randomModule says 'fuck it' and pulls his project (or even just breaks his module), suddenly you're stuck with a broken model and a potential outage.
Re: (Score:3)
Perhaps. But that took time they could had used to invent a hyperdrive instead. So does the super-wheel outperform the popular wheel even when the opportunity cost of the time and effort that went into inventing it in a world where the popular wheel already existed is taken into account?
oh vanity... (Score:5, Funny)
This is just hilarious. What a shit-show, from the bullshit legal threat to the developer's hissy fit to the dependence on an apparently obscure package to implement (lol) left-padding.
Reminds me of someone I knew who was wringing his hands for a few days over which license to use for his super-awesome R function library. He asked me for advice, and I told him that it's ~30 lines of syntactic boiler-plate code so get over yourself and just put it in public domain so that the two people who ever use it can do so easily. But of course, he had to deeply consider the political implications of which flavor of "freedom" he would support.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
you make a good point.
incidentally, i just took my morning shit. could you please tell me, before i flush the turds down the toilet, what redistribution license should i bless them with?
Re: (Score:2)
You don't like the license? Fuck off and write your own then. Simple.
Re: (Score:3, Insightful)
The downstream impact of my dump is comparable to the downstream impact of 99% of github bullshit. That's the analogy.
Some things are not worth agonizing over, or "discretion is the better part of valor".
Re: (Score:2)
Re:oh vanity... (Score:5, Insightful)
Missing from your list is that NPM didn't just pull the npm package, they reassigned it to a different user. Think about the security implications of that... it implies anyone can send a few intimidating emails, gain control of a major project, and then substitute with their own code/malware.
Assuming that's how it played out, it might be a good thing the developer threw a hissy fit: the resulting public fallout may or may not prompt NPM (and NuGet, Cargo, Docker, and so forth) to reconsider the trust problem they have created.
Re: (Score:3)
You'd be right if PTSD wasn't considered a disability. As it is considered a disability by medical professionals and organisations the world over, you are massively incorrect, and you've just shown that you're quite happy being incorrect if you can grind a suitable axe in the process.
Sure, its considered a medical disability, but what I started on about is still not measurable. Doesn't matter how you want to put it, it's not measurable. You cannot compare two cases of PTSD the way you can with most other things, because you cannot measure it. It all comes down to who says they feel $X more.
You've got to draw the line in the sand *somewhere*; you choose to draw the line at unmeasurable feels. I choose to draw it at what can be measured and quantified. Because, you see, if the world has t
What is Kik? (Score:3)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
If the license [spdx.org] applied to the project didn't explicitly mention "copying, distribution, and modification" that distinction might possibly have meant something.
But the license does. So the distinction does not.
Re: (Score:3)
You are absolutely fucking shit at using commas.
Re: (Score:3)
There is a legal aspect, and there is a moral aspect. SourceForge had the right to adware infected installers for open source software. Whether they should do, is another question. Same here.
Re: (Score:2)
Re: (Score:2)
1. The new owner apparently asked them to, so that would be permission.
2. They already have permission since the license the "software" was published under gave it to them.
Re: (Score:3, Informative)
Re: (Score:3)
Recall that trademark owners are required to protect their trademark.
That's only relevant if Kik has a JavaScript library. AFAIK, they do not. It's just another patent troll overreach.
Re:What is Kik? (Score:5, Funny)
This is the USPTO we're talking about here. Instant messaging services and Node.js libraries probably both fall under a category like "Products and services pertaining to computers, electronic calculators, magnetic or paper tapes, teletypes, slide rules, and abacuses"...
Re:What is Kik? (Score:5, Informative)
And the trademark for "KiK" an instant messenger "App" on phones or tablets, does not cover a "library" or even a "program" written for software development.
At least not in my country, and likely not in yours either.
Re:What is Kik? (Score:5, Insightful)
True, but lawyers don't understand those words, they just know it's about computers so anything computer related called "kik" must die. They are like marauding barbarians, waving their clubs in the air and smashing anything that looks a bit like the magic rock they worship.
Re: (Score:3)
And the trademark for "KiK" an instant messenger "App" on phones or tablets, does not cover a "library" or even a "program" written for software development.
At least not in my country, and likely not in yours either.
I'm guessing you are not a lawyer. The international law [wikipedia.org] on trademarks classifies goods and services into trademark categories. This classification puts "data processing equipment, computers; computer software" in the same group (along with bunch of other things). So an "App", a "program" and a "library" are all just "computer software" for trademark purposes.
But if you wanted to start a company called "KiK" to sell "Apparatus for lighting, heating, steam generating, cooking, refrigerating, drying, venti
Re: (Score:2)
They have a trademark for an instant-messaging application, not a JS library. Attempts to enforce the Kik trademark against NPM modules not dealing with instant messaging are vexatious, and any lawsuit raised is legal barratry.
Re: (Score:2)
They're a messaging application and have been around 5-6 years.
Oh, so I don't need to do anything then.
Recall that trademark owners are required to protect their trademark.
Trademarks are only in effect for what purposes they filed for. It cannot just cover any use of the word in any context.
Re: (Score:2)
And nothing of value was lost (Score:3)
Just kidding, I have no problem with Javascript. By the way, that summary was confusing as hell.
One of the beauties of JS is that it's easy to provide your own functions, so as long as it's only left-pad missing, you could provide your own, right?
function left_pad(str, min_length, pad_char){
if(str.length min_length){
str = Array(min_length - str.length).join(pad_char) + str;
}
return str;
}
(note, I did not do any sanity/error checking in the function, so do not simply copy/paste, please fill it out if you intend to use it)
Re: (Score:2)
seriously, whoever was using left-pad and was too lazy to implement this themselves deserves their fate.
Re: (Score:2)
Re:And nothing of value was lost (Score:4, Insightful)
Your left pad solution is 40% shorter and probably more efficient than the crap that was yanked from NPM.
The original code from NPM is more readable. Given the choice between compact code and readable code, I prefer readable code. Especially when it comes to my own code and I have to figure out what I wrote months or years later.
Re:And nothing of value was lost (Score:5, Informative)
Which only concatenates the string once.
Lesson for next time ... (Score:2, Insightful)
Re:Lesson for next time ... (Score:5, Insightful)
So you say everybody should write their own buggy and incomplete reinvention of the wheel?
Yes, probably most of his libraries aren't longer than 2000 lines of code, and therefore are pretty replaceable, but I don't think that writing your own libraries will decrease the total number of bugs, it will rather increase them.
Re: (Score:2)
What is this Kik module and what does it do? (Score:2)
Also, when was it made, originally?
Re: (Score:2)
Re: (Score:2)
Great. THAT was that bug I ran into 2 days ago. Fi (Score:2)
Installed Babel. Strange Error messages and babel borked and unusable. Same problem popping up all over the interweb.
Sad. Wanted to start with classes in JS. :-(
Does anyone know when this gets fixed and what the plan is?
Re: (Score:3)
Does anyone know when this gets fixed and what the plan is?
You could try to read the article.
To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the "unprecedented" step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it's gone and cannot be restored. Now NPM has forcibly resurrected that particular version to keep everyone's stuff building and running as expected.
Anybody surprised? (Score:5, Insightful)
I've always thought this interconnected pile of stuff, linking across a bunch of domains was lazy, dangerous, and likely to be very brittle.
Sorry, but the interwebs have shown me I can't afford to trust arbitrary code from all over the place, which can change at a moments notice, and which I know nothing about.
If you've created an infrastructure where tons of stuff breaks because some asshole corporation forces some guy to say "fuck you, you can't have my code", you have a terrible mess. What happens if someone adds some malicious code?
What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?
Jenga tower indeed, it sounds like the state of the art is a bunch of brittle dependencies controlled by a few places, and subject to causing a shit top of things to happen when someone makes a change.
This reminds me of a company I worked at which had a universal build system ... everything build from scratch every day and wouldn't build if any of its dependencies didn't build. So when some guy broke a components 3 components upstream, nobody could get anything compiled because the system was too stupid to go with the last known good ... and hundreds of developers sat around all day going "but, what do you mean we can't do anything because some guy checked in shit code".
Wow, just wow.
Steaming Heaps of Innovative Technology.
Re: (Score:3)
Re:Anybody surprised? (Score:4, Insightful)
What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?
*sigh* We really shouldn't still be having this conversation about how open source licensing works, but OK: They don't claim to own it, but they can redistribute it under the same licence that it was being distributed under. His copyright isn't infringed, it just remains distributed under the non-reversible licence that he chose to distribute it under in the first place.
Kik's briefs told him to take down the module (Score:3)
Damn bossy underwear!!!
D'oh (Score:3)
If you write *anything* that assumes the perpetual existence of a linked library from somewhere on the internet, you deserve what you get.
Most kids these days don't remember a time where internet access required a dial-up modem -- or it wasn't a 100% certainty it would be available.
Improper assertion of trademark? (Score:3)
Re: (Score:3)
This begs a question; is NPM (or a package manager in general) legally responsible for the hosted content?
Build a mirror for your dependencies! (Score:5, Insightful)
Second paradigm: mirror even your dependencies source code, if you can.
Re:The guy was ripping off leftpad (Score:5, Insightful)
Re:The guy was ripping off leftpad (Score:5, Insightful)
Dependencies are unavoidable, specially on big projects - you are not expected to reinvent the wheel every time you code.
Now, having a dedicated library dependency for padding strings is a bit of a stretch though...
Re:The guy was ripping off leftpad (Score:5, Insightful)
Dependencies are unavoidable, true, but it's a good practice to vet libraries before you include them and make sure they're worth the risk.
The risk with Open Source libraries is usually long term maintenance - will the project be maintained for the lifetime of my project? If the project is not maintained, is it something you're willing to take on and will the license and community let you fork it? If not, there's risk.
You also have the risk we see here - ideology trumping pragmatism (that's a nice way of saying the developer had a fit and took his toys away for reasons even he doesn't fully understand). In those cases, you also have the chance to fork, assuming the license/community allows it.
For trivial operations, such as left padding, it's almost never worth the risk to use a library unless it's part of the language's standard library. Sure, don't write your own FFT or ORM, but if you can code a function in a few minutes for a well defined problem, there's no reason to add an external dependency.
-Chris
Re: (Score:3)
"Dependencies are unavoidable, true, but it's a good practice to vet libraries before you include them and make sure they're worth the risk."
But that's not what is being said. What is being said is "dependencies are bad, you shouldn't have them" which is just ridiculous ideological bullshit. If nobody used dependencies half the software today wouldn't exist in any stable form because people would still be testing and debugging their newly-invented wheels.
Re: (Score:3)
What is being said is "dependencies are bad, you shouldn't have them"
It's true. It's also true to say 'reinventing the wheel is bad, you shouldn't do it'. Eventually, you have to pick the lesser of two evils, but neither solution is particularly enjoyable.
Re:The guy was ripping off leftpad (Score:4, Informative)
For trivial operations, such as left padding, it's almost never worth the risk to use a library unless it's part of the language's standard library. Sure, don't write your own FFT or ORM, but if you can code a function in a few minutes for a well defined problem, there's no reason to add an external dependency.
Generally I've found that anything taking less than two days (one day for writing, one day for testing) is worth rewriting yourself instead of adding a dependency (arguably, anything taking less than a week is worth rewriting, depending on the quality and stability of the dependency).
Re: (Score:2)
I guess? Every language with a package manager (like Python's pip [python.org]) is "vulnerable" to someone pulling the rug on a project.
Re: (Score:2)
Re:Unavoidable if you're LAZY (Score:5, Insightful)
Nonsense. Laughable, even. Quality programmers can build anything. If they're wise, they will.
I guess you never worked with code then, eh? It is not about whether they can or cannot - is about the resources involved. Writing and testing a production-level software library is not a trivial task. It takes time.
Again, this does not apply to string padding, which is usually resolved on a couple lines of code on the language of your choice...
Re: (Score:3)
Try writing an application that handles all the common image file formats, (at least JPEG, GIF, PNG and BMP) and get back to us.
Re: (Score:3)
Re: (Score:3)
Worse then that, because you probably didn't check for security issues and all the corner cases that other libraries developed over 2+ decades have dealt with.
No, I would take an approach similar to formal verification.
Re:The guy was ripping off leftpad (Score:5, Insightful)
Bullshit.
Dependencies and libraries are fine. If you want to use SSL encryption in your software you should try and re-implement it all, because while SSL libraries have been having security issues in the last few years there's almost zero chance you make something that doesn't have bigger ones. Multiply that by all the domain specific pieces of code you need.
Not having to understand what's actually going on is a feature not a problem.
What is retarded is using a dependency that exists out in the internet somewhere only, so that your code breaks if some random internet service disappears. As long as you have your own copy of the dependency it's fine. Some asshat can't yank them away since you have your own copy that doesn't magically stop working. Obviously you want the source code, or at the very least the source code escrowed somewhere that you obtain if the provider vanishes in the future.
Re: (Score:3)
It's a bit like asking the bum in the alleyway to hold the keys to your business for you over nights, instead of carrying them in your own pocket.
Re:The guy was ripping off leftpad (Score:5, Informative)
I don't think this proves libraries per-se are bad, but blindly depending on out-of-house software repositories for every build or (worse) every startup/deploy is crazy.
We're a Java house (go ahead, get your ki[c]ks in...), and we use around 100 open source libraries. They're all mirrored locally in an Ivy repository [apache.org] we maintain. No new versions get checked in unless they've passed a reasonable level of scrutiny, and nothing gets deleted unless we delete it.
Re:The guy was ripping off leftpad (Score:4, Interesting)
This. Exactly this. Someone needs to allow your score to go to 6 for combating the stupidity around here.
Re:The guy was ripping off leftpad (Score:5, Interesting)
Re: (Score:3)
Define "need". Explain to me why I need to understand how a library works in detail. We use a geometry library that uses NURBS, which I haven't bothered learning enough to debug the library. We use a JPEG library, and I really haven't bothered to learn how JPEG works. Add up all the third-party libraries we use, and the company would never have gotten off the ground if we'd had to write all those ourselves.
Re: The guy was ripping off leftpad (Score:2)
Building on the work of others is what open source is about. Heck, it's what proprietary code is about too.
I think what we're looking at here are community rules of which are too permissive of unsharing without cause. It's one thing to unshare for legal reasons but the extent of unsharing should be strictly limited to the affected modules. The deal should be that if you encourage people to depend on your car work you don't get to take it away without good reason.
Re: (Score:3)
What a crock of shit. Do this and you increase your development time 1000-fold. It's stupidity to think that just because someone uses a dependency that they're incapable of understanding it and it blows my mind that this absolute garbage has been voted up. No sane developer would tell you this.
Re: (Score:3)
People reinvent the wheel all the time. You'd have to or else we'd still be using stone wheels. Even a bigmath library gets reinvented, I've seen many versions. That's because one size does not fit all and some of those libraries or their RAM usage will literally not fit on some machines.
Re:OPC (Score:5, Funny)
Yeah, real programmer treat integers as byte arrays.
You kids and your new fangled pythons don't know how good ya'll have it.
Re: OPC (Score:3, Funny)
No, real programmers use a magnetized needle to manipulate bits in memory directly. #notruescotsman
Re: (Score:3)
Because iterating backwards is the same as forwards?
Re:OPC (Score:4, Insightful)
Going up: 32453 / 32536 / 32232 / 32604
Going down: 32587 / 32416 / 32216 / 32466
There seems to be no difference at all in either direction. Code is here [github.com].
Re: (Score:3)
The script shouldn't use while loop at all. Instead, it could be replaced with a simple for loop instead because the loop number is defined.
for (var i=0; i<(len-str.length); i++) { ... }
Back to the topic, I think the word kik is a trademark - http://tmsearch.uspto.gov/bin/... [uspto.gov] - and it is still enforcible. If you look at the Good and Services, it may be the reason why the developer should not use the name or he could be sued...
Re:OPC (Score:5, Insightful)
Re:OPC (Score:5, Insightful)
Re: (Score:3, Funny)
Well, I suppose that still means his library has fewer flaws than OpenSSL does, so maybe he is doing something right.
Re:OPC (Score:5, Insightful)
I hope you're kidding, and the present situation makes an excellent example of why.
Tracking down Open Source dependencies has become a complete nightmare, in many cases, because far, far too many devs unfortunately take your advice to heart. No, we shouldn't roll our own bigmath libraries, or nosql implementations. But what lazy-assed devs would import an external dependency for something as trivial as padding a string? Oh, right - Apparently thousands of them. Gee, I wonder why the business world doesn't take us seriously, despite offering them our work for the low, low price of "free"?
Re: (Score:3)
... I hope you're kidding. Don't reinvent the wheel - if someone else has already written the code then there's no reason to re-write it. That's a huge waste of man hours. Instead you should package all dependencies in such a way that they can be retrieved without requiring the other guy to still be offering it. Yes, that means a snapshot of the version you rely of should be in your repository because you also can't guarantee that a given version will be available as long as your own project is.
Exactly. And this is the very reason we went to using Maven and a private Nexus server. Nexus will go out periodically and find all the security patches, bug fixes, etc. (and upgrades, if you want them) for all of your dependencies, and keep a local copy. If the upstream repository goes dark (this actually happens a lot), you still have a copy of the latest version.
I'm sure there are other similar system that do the same thing. How are people managing their "nuget" packages?
Re: (Score:3)
I have an SVN repo on the same server that hosts my sites. All code is linked from there for js stuff.
I have a private side as well that I use to deploy all server side code from. Works quite well.
-nb
Re:OPC (Score:5, Insightful)
Using other people's libraries is fine; you just need to keep your own copy of them instead of dynamically-linking (or hotlinking, in the case of Javascript web shit).
Re: (Score:3)
real programmers swipe code from SO and compile it without attribution - saying "I wrote all of this"
Re:What a strange name for an IM app... (Score:5, Insightful)
Everything is one letter away of meaning something in some language.
Re: (Score:2, Funny)
Kik is one letter short of being kike (a racist name for a Jewish person). How brilliant.
It's also one letter short of being "kick" (an racist action to be performed on a Jewish person). How brilliant.
Re:What a strange name for an IM app... (Score:5, Funny)
And your nick is one character away from including the word "reamer", and two letters away from being "screamer".
It is simply not possible to exclude every word which is one or two letters away from offending some random idiot who thinks being one letter away is the same thing.
People can give something a name which is totally innocuous to them and which someone else is going to get into a hissy fit about.
So, what's more likely, he had no idea some random guy on the interwebs would make the comparison to a racial slur, or he used a word which sounded cool to him?
Re:What a strange name for an IM app... (Score:4, Funny)
And your nick is one character away from including the word "reamer", and two letters away from being "screamer".
I got the nickname "Reamer the Screamer" in the engineering class at junior high school. My model car required a larger opening to fit the CO2 cartridge ("reamer") and it whistled down the string ("screamer"). I never liked that nickname as it fit the reputations of several girls quite well.
Popular has never meant "smart" (Score:2)
It also prevents versionitis: where the package didn't go away, but was changed in such a way that it no longer works the way it used to.
Your stance may not be "popular", but it is 100% correct — and very smart.
We can still be hosed by irresponsible changes in the underlying language, and/or irresponsible changes in the underlying OS (if there is one... not always the case.)
Python and Perl have both outright broken older code that was designed to the language spec. Windows and OS X have both broken AP