This reminds me of a conversation I had with a friend some years ago. My friend comes from a family of home builders. None of them do it professionally anymore, but they all spent every summer growing up helping dad do everything from digging the hole to putting in the carpet.
From time to time, each of the siblings has built a new home, and they just do it themselves in their spare time. My friend was telling me about helping his sister with her home. His sister has moved into a very rural community in the western U.S. When the family showed up to pour the footings, they asked for a copy of the footing plans. Their sister handed them an 8.5x11 sheet of paper with a hand-drawn floor plan.
"Where's your official plans? The plans you submitted for your permit? The ones with the footing details?"
"That is the paper we submitted for our permit. See the stamp that says 'Approved'?"
All the other siblings live in Clark County, Nevada. The permitting process there is excruciating. They looked at the paper, looked at each other, shrugged, then built the house. They know how to build a footing. They know how to frame. They know how to build a house. The sister's house was built with the same quality as the other siblings' in a fraction of the time.
But if one of the big builders tries to put in a subdivision in that little town, I hope the municipality watches them like a hawk. Big builders don't build homes. They cheat and connive and do everything to push product at the lowest possible cost.
In a world without trust, you cannot afford to let people self-manage.
I disagree. R&D in any industry needs to encourage risk taking. The key is to contain the risks within R&D and never allow them to leak into production.
R&D that is not willing to break things will stagnate.
I read up a little on Guix, but I can't reconcile what I read with what you wrote.
Guix clearly does track and even bundle dependencies.
The part I'm missing is how different packages can rely on different dependencies without stepping on each others' toes. And if a certain package relies on a dependency with known vulnerabilities, do I have to wait for the package to change its dependency, or can I upgrade the dependency as soon as it issues a fix?
From time to time, each of the siblings has built a new home, and they just do it themselves in their spare time. My friend was telling me about helping his sister with her home. His sister has moved into a very rural community in the western U.S. When the family showed up to pour the footings, they asked for a copy of the footing plans. Their sister handed them an 8.5x11 sheet of paper with a hand-drawn floor plan.
"Where's your official plans? The plans you submitted for your permit? The ones with the footing details?"
"That is the paper we submitted for our permit. See the stamp that says 'Approved'?"
All the other siblings live in Clark County, Nevada. The permitting process there is excruciating. They looked at the paper, looked at each other, shrugged, then built the house. They know how to build a footing. They know how to frame. They know how to build a house. The sister's house was built with the same quality as the other siblings' in a fraction of the time.
But if one of the big builders tries to put in a subdivision in that little town, I hope the municipality watches them like a hawk. Big builders don't build homes. They cheat and connive and do everything to push product at the lowest possible cost.
In a world without trust, you cannot afford to let people self-manage.