Original post

I think everyone’s surprised at how open source has become mainstream. I think when GitHub launch – around 2007-2008, something like that, so roughly the same time as happened, GitHub happened… Before GitHub, open source was very niche, I think, for a lot of people. But now enterprise software systems almost all use some open source components, and I think it’s been a sudden change for industry to change the way it works like this. And it’s not just about open source as grabbing code off the web; the whole process of how dependencies are managed, how you do updates, building in distributed worlds, using Git and code review tooling on the web, and all that kind of stuff. All that is new, and I think the open source community has contributed massively to modern software development…

[00:44:10.07] But it’s not just the open source community anymore; the entire software universe is working with these tools now… And that, I think, is completely unexpected and surprising, but it has also brought along some terrifically difficult problems, like dependency management and how you keep your dependencies safe and up to date. A typical Node installation now will have somewhere in the neighborhood of a thousand dependencies, which is just crazy… And I don’t think you can say with any confidence that you can trust a thousand dependencies you don’t own. How do you know that that code is good, safe, robust, protected, the right time to update, the wrong time to update, the bugs are fixed – all those questions are really tricky. And Go has that now as well. Because it’s part of this, it fetches dependencies from the open source ecosystem; the scale of dependency trees isn’t quite as big for Go as it is for some of these other worlds, but it’s still big. It’s much bigger than it typically is for a C++ program, for example… And how do you know what you have is trustworthy?

The Go team is doing a lot of stuff on trying to improve the safety and reliability of grabbing code off the web, but… It remains a problem that surprised everybody when it landed, I think.