How to deal with fear of taking dependenciesWhen should new C projects target very old C standards (>20...

Why is my log file so massive? 22gb. I am running log backups

Why was the "bread communication" in the arena of Catching Fire left out in the movie?

Could a US political party gain complete control over the government by removing checks & balances?

aging parents with no investments

"My colleague's body is amazing"

Is there a name of the flying bionic bird?

What is the meaning of "of trouble" in the following sentence?

Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?

Why doesn't a const reference extend the life of a temporary object passed via a function?

Can I legally use front facing blue light in the UK?

Is domain driven design an anti-SQL pattern?

What is GPS' 19 year rollover and does it present a cybersecurity issue?

Is there any use for defining additional entity types in a SOQL FROM clause?

Is Social Media Science Fiction?

Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore

What does 'script /dev/null' do?

Need help identifying/translating a plaque in Tangier, Morocco

Is this food a bread or a loaf?

Domain expired, GoDaddy holds it and is asking more money

LWC and complex parameters

Symmetry in quantum mechanics

How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)

How to move the player while also allowing forces to affect it

Is ipsum/ipsa/ipse a third person pronoun, or can it serve other functions?



How to deal with fear of taking dependencies


When should new C projects target very old C standards (>20 years old, i.e. C89)?Using third-party libraries - always use a wrapper?Is the Entity Framework appropriate when all you do is insert records in bulk?What document should describe usage of a third party library in a project?How does one keep argument counts low and still keep third party dependencies separate?Formal justification for use of third-party librariesHow to decide what library to use?Licensing, how to?Third party dependencies managementHow to have multiple source copies of a dependency in a C# git project?Bringing a large, complex legacy project under git control






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







23















The team I'm in creates components that can be used by the company's partners to integrate with our platform.



As such, I agree we should take extreme care when introducing (third-party) dependencies. Currently we have no third-party dependencies and we have to stay on the lowest API level of the framework.



Some examples:




  • We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.

  • We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.

  • We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP implementation of the standard library.

  • All of the code for mapping to/from XML is written "by hand", again for the same reason.


I feel we are taking it too far. I'm wondering how to deal with this since this I think this greatly impacts our velocity.










share|improve this question









New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 6





    Is there a justification for this (e.g., external requirement) or is it being done out of ignorance?

    – Blrfl
    19 hours ago






  • 2





    No real justification except what I mentioned in the first bullet point and the general "dependencies are bad", which is obviously true (to a certain degree).

    – Bertus
    19 hours ago






  • 3





    Do an experiment with some small part of codebase, create an isolation layer that doesn't try to be a generic library, but defines an abstract interface that models your needs; then put both your own implementation and a 3rd party dependency behind it, and compare how the two versions work/perform. Weigh out the pros and cons, assess how easy (or how hard) it would be to swap implementations, then make a decision. In short, test things out in a relatively low-risk way, see what happens, then decide.

    – Filip Milovanović
    18 hours ago








  • 21





    "Currently we have no third-party dependencies" This always makes me laugh when people claim this. Of course you do. You've not written your own compiler, IDE, implementation of any standard libraries. You've not written any of the shard objects libs that you use indirectly (or directly). When you realise how much 3rd party software and libraries that you depend on, you can drop the "dependencies are bad" idea, and just enjoy not re-inventing the wheel. I would just flag the dependencies that you have, and then ask why they're acceptable, but json parsing isn't.

    – UKMonkey
    17 hours ago








  • 2





    That said there is the alternative draw backs, like never finishing projects. But it does promote software jobs and employment :)

    – marshal craft
    13 hours ago


















23















The team I'm in creates components that can be used by the company's partners to integrate with our platform.



As such, I agree we should take extreme care when introducing (third-party) dependencies. Currently we have no third-party dependencies and we have to stay on the lowest API level of the framework.



Some examples:




  • We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.

  • We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.

  • We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP implementation of the standard library.

  • All of the code for mapping to/from XML is written "by hand", again for the same reason.


I feel we are taking it too far. I'm wondering how to deal with this since this I think this greatly impacts our velocity.










share|improve this question









New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 6





    Is there a justification for this (e.g., external requirement) or is it being done out of ignorance?

    – Blrfl
    19 hours ago






  • 2





    No real justification except what I mentioned in the first bullet point and the general "dependencies are bad", which is obviously true (to a certain degree).

    – Bertus
    19 hours ago






  • 3





    Do an experiment with some small part of codebase, create an isolation layer that doesn't try to be a generic library, but defines an abstract interface that models your needs; then put both your own implementation and a 3rd party dependency behind it, and compare how the two versions work/perform. Weigh out the pros and cons, assess how easy (or how hard) it would be to swap implementations, then make a decision. In short, test things out in a relatively low-risk way, see what happens, then decide.

    – Filip Milovanović
    18 hours ago








  • 21





    "Currently we have no third-party dependencies" This always makes me laugh when people claim this. Of course you do. You've not written your own compiler, IDE, implementation of any standard libraries. You've not written any of the shard objects libs that you use indirectly (or directly). When you realise how much 3rd party software and libraries that you depend on, you can drop the "dependencies are bad" idea, and just enjoy not re-inventing the wheel. I would just flag the dependencies that you have, and then ask why they're acceptable, but json parsing isn't.

    – UKMonkey
    17 hours ago








  • 2





    That said there is the alternative draw backs, like never finishing projects. But it does promote software jobs and employment :)

    – marshal craft
    13 hours ago














23












23








23


6






The team I'm in creates components that can be used by the company's partners to integrate with our platform.



As such, I agree we should take extreme care when introducing (third-party) dependencies. Currently we have no third-party dependencies and we have to stay on the lowest API level of the framework.



Some examples:




  • We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.

  • We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.

  • We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP implementation of the standard library.

  • All of the code for mapping to/from XML is written "by hand", again for the same reason.


I feel we are taking it too far. I'm wondering how to deal with this since this I think this greatly impacts our velocity.










share|improve this question









New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












The team I'm in creates components that can be used by the company's partners to integrate with our platform.



As such, I agree we should take extreme care when introducing (third-party) dependencies. Currently we have no third-party dependencies and we have to stay on the lowest API level of the framework.



Some examples:




  • We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.

  • We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.

  • We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP implementation of the standard library.

  • All of the code for mapping to/from XML is written "by hand", again for the same reason.


I feel we are taking it too far. I'm wondering how to deal with this since this I think this greatly impacts our velocity.







architecture .net dependencies third-party-libraries code-ownership






share|improve this question









New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 16 hours ago







Bertus













New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 19 hours ago









BertusBertus

12116




12116




New contributor




Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Bertus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 6





    Is there a justification for this (e.g., external requirement) or is it being done out of ignorance?

    – Blrfl
    19 hours ago






  • 2





    No real justification except what I mentioned in the first bullet point and the general "dependencies are bad", which is obviously true (to a certain degree).

    – Bertus
    19 hours ago






  • 3





    Do an experiment with some small part of codebase, create an isolation layer that doesn't try to be a generic library, but defines an abstract interface that models your needs; then put both your own implementation and a 3rd party dependency behind it, and compare how the two versions work/perform. Weigh out the pros and cons, assess how easy (or how hard) it would be to swap implementations, then make a decision. In short, test things out in a relatively low-risk way, see what happens, then decide.

    – Filip Milovanović
    18 hours ago








  • 21





    "Currently we have no third-party dependencies" This always makes me laugh when people claim this. Of course you do. You've not written your own compiler, IDE, implementation of any standard libraries. You've not written any of the shard objects libs that you use indirectly (or directly). When you realise how much 3rd party software and libraries that you depend on, you can drop the "dependencies are bad" idea, and just enjoy not re-inventing the wheel. I would just flag the dependencies that you have, and then ask why they're acceptable, but json parsing isn't.

    – UKMonkey
    17 hours ago








  • 2





    That said there is the alternative draw backs, like never finishing projects. But it does promote software jobs and employment :)

    – marshal craft
    13 hours ago














  • 6





    Is there a justification for this (e.g., external requirement) or is it being done out of ignorance?

    – Blrfl
    19 hours ago






  • 2





    No real justification except what I mentioned in the first bullet point and the general "dependencies are bad", which is obviously true (to a certain degree).

    – Bertus
    19 hours ago






  • 3





    Do an experiment with some small part of codebase, create an isolation layer that doesn't try to be a generic library, but defines an abstract interface that models your needs; then put both your own implementation and a 3rd party dependency behind it, and compare how the two versions work/perform. Weigh out the pros and cons, assess how easy (or how hard) it would be to swap implementations, then make a decision. In short, test things out in a relatively low-risk way, see what happens, then decide.

    – Filip Milovanović
    18 hours ago








  • 21





    "Currently we have no third-party dependencies" This always makes me laugh when people claim this. Of course you do. You've not written your own compiler, IDE, implementation of any standard libraries. You've not written any of the shard objects libs that you use indirectly (or directly). When you realise how much 3rd party software and libraries that you depend on, you can drop the "dependencies are bad" idea, and just enjoy not re-inventing the wheel. I would just flag the dependencies that you have, and then ask why they're acceptable, but json parsing isn't.

    – UKMonkey
    17 hours ago








  • 2





    That said there is the alternative draw backs, like never finishing projects. But it does promote software jobs and employment :)

    – marshal craft
    13 hours ago








6




6





Is there a justification for this (e.g., external requirement) or is it being done out of ignorance?

– Blrfl
19 hours ago





Is there a justification for this (e.g., external requirement) or is it being done out of ignorance?

– Blrfl
19 hours ago




2




2





No real justification except what I mentioned in the first bullet point and the general "dependencies are bad", which is obviously true (to a certain degree).

– Bertus
19 hours ago





No real justification except what I mentioned in the first bullet point and the general "dependencies are bad", which is obviously true (to a certain degree).

– Bertus
19 hours ago




3




3





Do an experiment with some small part of codebase, create an isolation layer that doesn't try to be a generic library, but defines an abstract interface that models your needs; then put both your own implementation and a 3rd party dependency behind it, and compare how the two versions work/perform. Weigh out the pros and cons, assess how easy (or how hard) it would be to swap implementations, then make a decision. In short, test things out in a relatively low-risk way, see what happens, then decide.

– Filip Milovanović
18 hours ago







Do an experiment with some small part of codebase, create an isolation layer that doesn't try to be a generic library, but defines an abstract interface that models your needs; then put both your own implementation and a 3rd party dependency behind it, and compare how the two versions work/perform. Weigh out the pros and cons, assess how easy (or how hard) it would be to swap implementations, then make a decision. In short, test things out in a relatively low-risk way, see what happens, then decide.

– Filip Milovanović
18 hours ago






21




21





"Currently we have no third-party dependencies" This always makes me laugh when people claim this. Of course you do. You've not written your own compiler, IDE, implementation of any standard libraries. You've not written any of the shard objects libs that you use indirectly (or directly). When you realise how much 3rd party software and libraries that you depend on, you can drop the "dependencies are bad" idea, and just enjoy not re-inventing the wheel. I would just flag the dependencies that you have, and then ask why they're acceptable, but json parsing isn't.

– UKMonkey
17 hours ago







"Currently we have no third-party dependencies" This always makes me laugh when people claim this. Of course you do. You've not written your own compiler, IDE, implementation of any standard libraries. You've not written any of the shard objects libs that you use indirectly (or directly). When you realise how much 3rd party software and libraries that you depend on, you can drop the "dependencies are bad" idea, and just enjoy not re-inventing the wheel. I would just flag the dependencies that you have, and then ask why they're acceptable, but json parsing isn't.

– UKMonkey
17 hours ago






2




2





That said there is the alternative draw backs, like never finishing projects. But it does promote software jobs and employment :)

– marshal craft
13 hours ago





That said there is the alternative draw backs, like never finishing projects. But it does promote software jobs and employment :)

– marshal craft
13 hours ago










5 Answers
5






active

oldest

votes


















43















... We are forced to stay on the lowest API level of the framework (.net standard) …




This to me highlights the fact that, not only are you potentially restricting yourselves too much, you may also be heading for a nasty fall with your approach.



.NET Standard is not, and never will be "the lowest API level of the framework". The most restrictive set of APIs for .NET is achieved by creating a portable class library that targets windows phone and Silverlight.



Depending on which version of .NET Standard you are targeting, you can end up with a very rich set of APIs that are compatible with .NET Framework, .NET Core, Mono and Xamarin. And there are many 3rd party libraries that are .NET Standard compatible that will therefore work on all these platforms.



Then there is .NET Standard 2.1, likely to be released in the Autumn of 2019. It will be supported by .NET Core, Mono and Xamarin. It will not be supported by any version of the .NET Framework, at least for the foreseeable future, and quite likely always. So in the near future, far from being "the lowest API level of the framework", .NET Standard will supersede the framework and have APIs that aren't supported by the latter.



So be very careful with "The reasoning behind this is that a new platform could one day arrive that only supports that very low API level" as it's quite likely that new platforms will in fact support a higher level API than the old framework does.



Then there's the issue of third party libraries. JSON.NET for example is compatible with .NET Standard. Any library compatible with .NET Standard is guaranteed - API-wise - to work with all .NET implementations that are compatible with that version of .NET Standard. SO you achieve no additional compatibility by not using it and creating your JSON library. You simply create more work for yourselves and incur unnecessary costs for your company.



So yes, you definitely are taking this too far in my view.






share|improve this answer































    19















    We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.




    The reasoning here is rather backwards. Older, lower API levels are more likely to become obsolete and unsupported than newer ones. While I agree that staying a comfortable way behind the "cutting edge" is sensible to ensure a reasonable level of compatibility in the scenario you mention, never moving forward is beyond extreme.




    We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.
    We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP impelemntation of the standard library.
    All of the code for mapping to/from XML is written "by hand", again for the same reason.




    This is madness. Even if you don't want to use standard library functions for whatever reason, open source libraries exist with commercially compatible licenses that do all of the above. They've already been written, extensively tested from a functionality, security and API design point of view, and used extensively in many other projects.



    If the worst happens and that project goes away, or stops being maintained, then you've got the code to build the library anyway, and you assign someone to maintain it. And you're likely still in a much better position than if you'd rolled your own, since in reality you'll have more tested, cleaner, more maintainable code to look after.



    In the much more likely scenario that the project is maintained, and bugs or exploits are found in those libraries, you'll know about them so can do something about it - such as upgrading to a newer version free of charge, or patching your version with the fix if you've taken a copy.






    share|improve this answer































      8














      On the whole these things are good for your customers. Even a popular open source library might be impossible for them to use for some reason.



      for example they may have signed a contract with their customers promising not to use open source products



      However, as you point out these features are not without cost.




      • Time to market

      • Size of package

      • Performance


      I would raise these downsides and talk with customers to find out if they really need the uber levels of compatibility you are offering.



      If all the customers already use JSON.Net for example, then using it in your product rather than your own deserialisation code, reduces its size and improves it.



      If you introduce a second version of your product, one which uses 3rd party libraries as well as a compatible one you could judge the uptake on both. Will customers use the 3rd parties to get the latest features a bit earlier, or stick with the 'compatible' version?






      share|improve this answer





















      • 6





        Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

        – Bertus
        19 hours ago











      • Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

        – Ewan
        19 hours ago











      • "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

        – Stephen
        5 hours ago











      • And still people do it

        – Ewan
        5 hours ago



















      2














      Short answer is that you should start introducing third-party dependencies. During your next stand-up meeting, tell everyone that the next week at work will be the most fun they have had in years -- they'll replace the JSON and XML components with open source, standard libraries solutions. Tell everyone that they have three days to replace the JSON component. Celebrate after it's done. Have a party. This is worth celebrating.






      share|improve this answer








      New contributor




      Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




























        0














        Basically it all comes down to effort vs. risk.



        By adding an additional dependency or update your framework or use higher level API, you lower your effort but you take up risk. So I would suggest doing a SWOT analysis.




        • Strengths: Less effort, because you don't have to code it yourself.

        • Weaknesses: It's not as custom designed for your special needs as a handcrafted solution.

        • Opportunities: Time to market is smaller. You might profit from external developments.

        • Threats: You might upset customers with additional dependencies.


        As you can see the additional effort to develop a handcrafted solution is an investment into lowering your threats. Now you can make a strategic decision.






        share|improve this answer
























          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "131"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Bertus is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f389972%2fhow-to-deal-with-fear-of-taking-dependencies%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          5 Answers
          5






          active

          oldest

          votes








          5 Answers
          5






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          43















          ... We are forced to stay on the lowest API level of the framework (.net standard) …




          This to me highlights the fact that, not only are you potentially restricting yourselves too much, you may also be heading for a nasty fall with your approach.



          .NET Standard is not, and never will be "the lowest API level of the framework". The most restrictive set of APIs for .NET is achieved by creating a portable class library that targets windows phone and Silverlight.



          Depending on which version of .NET Standard you are targeting, you can end up with a very rich set of APIs that are compatible with .NET Framework, .NET Core, Mono and Xamarin. And there are many 3rd party libraries that are .NET Standard compatible that will therefore work on all these platforms.



          Then there is .NET Standard 2.1, likely to be released in the Autumn of 2019. It will be supported by .NET Core, Mono and Xamarin. It will not be supported by any version of the .NET Framework, at least for the foreseeable future, and quite likely always. So in the near future, far from being "the lowest API level of the framework", .NET Standard will supersede the framework and have APIs that aren't supported by the latter.



          So be very careful with "The reasoning behind this is that a new platform could one day arrive that only supports that very low API level" as it's quite likely that new platforms will in fact support a higher level API than the old framework does.



          Then there's the issue of third party libraries. JSON.NET for example is compatible with .NET Standard. Any library compatible with .NET Standard is guaranteed - API-wise - to work with all .NET implementations that are compatible with that version of .NET Standard. SO you achieve no additional compatibility by not using it and creating your JSON library. You simply create more work for yourselves and incur unnecessary costs for your company.



          So yes, you definitely are taking this too far in my view.






          share|improve this answer




























            43















            ... We are forced to stay on the lowest API level of the framework (.net standard) …




            This to me highlights the fact that, not only are you potentially restricting yourselves too much, you may also be heading for a nasty fall with your approach.



            .NET Standard is not, and never will be "the lowest API level of the framework". The most restrictive set of APIs for .NET is achieved by creating a portable class library that targets windows phone and Silverlight.



            Depending on which version of .NET Standard you are targeting, you can end up with a very rich set of APIs that are compatible with .NET Framework, .NET Core, Mono and Xamarin. And there are many 3rd party libraries that are .NET Standard compatible that will therefore work on all these platforms.



            Then there is .NET Standard 2.1, likely to be released in the Autumn of 2019. It will be supported by .NET Core, Mono and Xamarin. It will not be supported by any version of the .NET Framework, at least for the foreseeable future, and quite likely always. So in the near future, far from being "the lowest API level of the framework", .NET Standard will supersede the framework and have APIs that aren't supported by the latter.



            So be very careful with "The reasoning behind this is that a new platform could one day arrive that only supports that very low API level" as it's quite likely that new platforms will in fact support a higher level API than the old framework does.



            Then there's the issue of third party libraries. JSON.NET for example is compatible with .NET Standard. Any library compatible with .NET Standard is guaranteed - API-wise - to work with all .NET implementations that are compatible with that version of .NET Standard. SO you achieve no additional compatibility by not using it and creating your JSON library. You simply create more work for yourselves and incur unnecessary costs for your company.



            So yes, you definitely are taking this too far in my view.






            share|improve this answer


























              43












              43








              43








              ... We are forced to stay on the lowest API level of the framework (.net standard) …




              This to me highlights the fact that, not only are you potentially restricting yourselves too much, you may also be heading for a nasty fall with your approach.



              .NET Standard is not, and never will be "the lowest API level of the framework". The most restrictive set of APIs for .NET is achieved by creating a portable class library that targets windows phone and Silverlight.



              Depending on which version of .NET Standard you are targeting, you can end up with a very rich set of APIs that are compatible with .NET Framework, .NET Core, Mono and Xamarin. And there are many 3rd party libraries that are .NET Standard compatible that will therefore work on all these platforms.



              Then there is .NET Standard 2.1, likely to be released in the Autumn of 2019. It will be supported by .NET Core, Mono and Xamarin. It will not be supported by any version of the .NET Framework, at least for the foreseeable future, and quite likely always. So in the near future, far from being "the lowest API level of the framework", .NET Standard will supersede the framework and have APIs that aren't supported by the latter.



              So be very careful with "The reasoning behind this is that a new platform could one day arrive that only supports that very low API level" as it's quite likely that new platforms will in fact support a higher level API than the old framework does.



              Then there's the issue of third party libraries. JSON.NET for example is compatible with .NET Standard. Any library compatible with .NET Standard is guaranteed - API-wise - to work with all .NET implementations that are compatible with that version of .NET Standard. SO you achieve no additional compatibility by not using it and creating your JSON library. You simply create more work for yourselves and incur unnecessary costs for your company.



              So yes, you definitely are taking this too far in my view.






              share|improve this answer














              ... We are forced to stay on the lowest API level of the framework (.net standard) …




              This to me highlights the fact that, not only are you potentially restricting yourselves too much, you may also be heading for a nasty fall with your approach.



              .NET Standard is not, and never will be "the lowest API level of the framework". The most restrictive set of APIs for .NET is achieved by creating a portable class library that targets windows phone and Silverlight.



              Depending on which version of .NET Standard you are targeting, you can end up with a very rich set of APIs that are compatible with .NET Framework, .NET Core, Mono and Xamarin. And there are many 3rd party libraries that are .NET Standard compatible that will therefore work on all these platforms.



              Then there is .NET Standard 2.1, likely to be released in the Autumn of 2019. It will be supported by .NET Core, Mono and Xamarin. It will not be supported by any version of the .NET Framework, at least for the foreseeable future, and quite likely always. So in the near future, far from being "the lowest API level of the framework", .NET Standard will supersede the framework and have APIs that aren't supported by the latter.



              So be very careful with "The reasoning behind this is that a new platform could one day arrive that only supports that very low API level" as it's quite likely that new platforms will in fact support a higher level API than the old framework does.



              Then there's the issue of third party libraries. JSON.NET for example is compatible with .NET Standard. Any library compatible with .NET Standard is guaranteed - API-wise - to work with all .NET implementations that are compatible with that version of .NET Standard. SO you achieve no additional compatibility by not using it and creating your JSON library. You simply create more work for yourselves and incur unnecessary costs for your company.



              So yes, you definitely are taking this too far in my view.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 18 hours ago









              David ArnoDavid Arno

              29.1k75894




              29.1k75894

























                  19















                  We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.




                  The reasoning here is rather backwards. Older, lower API levels are more likely to become obsolete and unsupported than newer ones. While I agree that staying a comfortable way behind the "cutting edge" is sensible to ensure a reasonable level of compatibility in the scenario you mention, never moving forward is beyond extreme.




                  We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.
                  We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP impelemntation of the standard library.
                  All of the code for mapping to/from XML is written "by hand", again for the same reason.




                  This is madness. Even if you don't want to use standard library functions for whatever reason, open source libraries exist with commercially compatible licenses that do all of the above. They've already been written, extensively tested from a functionality, security and API design point of view, and used extensively in many other projects.



                  If the worst happens and that project goes away, or stops being maintained, then you've got the code to build the library anyway, and you assign someone to maintain it. And you're likely still in a much better position than if you'd rolled your own, since in reality you'll have more tested, cleaner, more maintainable code to look after.



                  In the much more likely scenario that the project is maintained, and bugs or exploits are found in those libraries, you'll know about them so can do something about it - such as upgrading to a newer version free of charge, or patching your version with the fix if you've taken a copy.






                  share|improve this answer




























                    19















                    We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.




                    The reasoning here is rather backwards. Older, lower API levels are more likely to become obsolete and unsupported than newer ones. While I agree that staying a comfortable way behind the "cutting edge" is sensible to ensure a reasonable level of compatibility in the scenario you mention, never moving forward is beyond extreme.




                    We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.
                    We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP impelemntation of the standard library.
                    All of the code for mapping to/from XML is written "by hand", again for the same reason.




                    This is madness. Even if you don't want to use standard library functions for whatever reason, open source libraries exist with commercially compatible licenses that do all of the above. They've already been written, extensively tested from a functionality, security and API design point of view, and used extensively in many other projects.



                    If the worst happens and that project goes away, or stops being maintained, then you've got the code to build the library anyway, and you assign someone to maintain it. And you're likely still in a much better position than if you'd rolled your own, since in reality you'll have more tested, cleaner, more maintainable code to look after.



                    In the much more likely scenario that the project is maintained, and bugs or exploits are found in those libraries, you'll know about them so can do something about it - such as upgrading to a newer version free of charge, or patching your version with the fix if you've taken a copy.






                    share|improve this answer


























                      19












                      19








                      19








                      We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.




                      The reasoning here is rather backwards. Older, lower API levels are more likely to become obsolete and unsupported than newer ones. While I agree that staying a comfortable way behind the "cutting edge" is sensible to ensure a reasonable level of compatibility in the scenario you mention, never moving forward is beyond extreme.




                      We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.
                      We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP impelemntation of the standard library.
                      All of the code for mapping to/from XML is written "by hand", again for the same reason.




                      This is madness. Even if you don't want to use standard library functions for whatever reason, open source libraries exist with commercially compatible licenses that do all of the above. They've already been written, extensively tested from a functionality, security and API design point of view, and used extensively in many other projects.



                      If the worst happens and that project goes away, or stops being maintained, then you've got the code to build the library anyway, and you assign someone to maintain it. And you're likely still in a much better position than if you'd rolled your own, since in reality you'll have more tested, cleaner, more maintainable code to look after.



                      In the much more likely scenario that the project is maintained, and bugs or exploits are found in those libraries, you'll know about them so can do something about it - such as upgrading to a newer version free of charge, or patching your version with the fix if you've taken a copy.






                      share|improve this answer














                      We are forced to stay on the lowest API level of the framework (.net standard). The reasoning behind this is that a new platform could one day arrive that only supports that very low API level.




                      The reasoning here is rather backwards. Older, lower API levels are more likely to become obsolete and unsupported than newer ones. While I agree that staying a comfortable way behind the "cutting edge" is sensible to ensure a reasonable level of compatibility in the scenario you mention, never moving forward is beyond extreme.




                      We have implemented our own components for (de)serializing JSON, and are in the process of doing the same for JWT. This is available in a higher level of the framework API.
                      We have implemented a wrapper around the HTTP framework of the standard library because we don't want to take a dependency on the HTTP impelemntation of the standard library.
                      All of the code for mapping to/from XML is written "by hand", again for the same reason.




                      This is madness. Even if you don't want to use standard library functions for whatever reason, open source libraries exist with commercially compatible licenses that do all of the above. They've already been written, extensively tested from a functionality, security and API design point of view, and used extensively in many other projects.



                      If the worst happens and that project goes away, or stops being maintained, then you've got the code to build the library anyway, and you assign someone to maintain it. And you're likely still in a much better position than if you'd rolled your own, since in reality you'll have more tested, cleaner, more maintainable code to look after.



                      In the much more likely scenario that the project is maintained, and bugs or exploits are found in those libraries, you'll know about them so can do something about it - such as upgrading to a newer version free of charge, or patching your version with the fix if you've taken a copy.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered 16 hours ago









                      berry120berry120

                      1,3921117




                      1,3921117























                          8














                          On the whole these things are good for your customers. Even a popular open source library might be impossible for them to use for some reason.



                          for example they may have signed a contract with their customers promising not to use open source products



                          However, as you point out these features are not without cost.




                          • Time to market

                          • Size of package

                          • Performance


                          I would raise these downsides and talk with customers to find out if they really need the uber levels of compatibility you are offering.



                          If all the customers already use JSON.Net for example, then using it in your product rather than your own deserialisation code, reduces its size and improves it.



                          If you introduce a second version of your product, one which uses 3rd party libraries as well as a compatible one you could judge the uptake on both. Will customers use the 3rd parties to get the latest features a bit earlier, or stick with the 'compatible' version?






                          share|improve this answer





















                          • 6





                            Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

                            – Bertus
                            19 hours ago











                          • Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

                            – Ewan
                            19 hours ago











                          • "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

                            – Stephen
                            5 hours ago











                          • And still people do it

                            – Ewan
                            5 hours ago
















                          8














                          On the whole these things are good for your customers. Even a popular open source library might be impossible for them to use for some reason.



                          for example they may have signed a contract with their customers promising not to use open source products



                          However, as you point out these features are not without cost.




                          • Time to market

                          • Size of package

                          • Performance


                          I would raise these downsides and talk with customers to find out if they really need the uber levels of compatibility you are offering.



                          If all the customers already use JSON.Net for example, then using it in your product rather than your own deserialisation code, reduces its size and improves it.



                          If you introduce a second version of your product, one which uses 3rd party libraries as well as a compatible one you could judge the uptake on both. Will customers use the 3rd parties to get the latest features a bit earlier, or stick with the 'compatible' version?






                          share|improve this answer





















                          • 6





                            Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

                            – Bertus
                            19 hours ago











                          • Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

                            – Ewan
                            19 hours ago











                          • "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

                            – Stephen
                            5 hours ago











                          • And still people do it

                            – Ewan
                            5 hours ago














                          8












                          8








                          8







                          On the whole these things are good for your customers. Even a popular open source library might be impossible for them to use for some reason.



                          for example they may have signed a contract with their customers promising not to use open source products



                          However, as you point out these features are not without cost.




                          • Time to market

                          • Size of package

                          • Performance


                          I would raise these downsides and talk with customers to find out if they really need the uber levels of compatibility you are offering.



                          If all the customers already use JSON.Net for example, then using it in your product rather than your own deserialisation code, reduces its size and improves it.



                          If you introduce a second version of your product, one which uses 3rd party libraries as well as a compatible one you could judge the uptake on both. Will customers use the 3rd parties to get the latest features a bit earlier, or stick with the 'compatible' version?






                          share|improve this answer















                          On the whole these things are good for your customers. Even a popular open source library might be impossible for them to use for some reason.



                          for example they may have signed a contract with their customers promising not to use open source products



                          However, as you point out these features are not without cost.




                          • Time to market

                          • Size of package

                          • Performance


                          I would raise these downsides and talk with customers to find out if they really need the uber levels of compatibility you are offering.



                          If all the customers already use JSON.Net for example, then using it in your product rather than your own deserialisation code, reduces its size and improves it.



                          If you introduce a second version of your product, one which uses 3rd party libraries as well as a compatible one you could judge the uptake on both. Will customers use the 3rd parties to get the latest features a bit earlier, or stick with the 'compatible' version?







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited 17 hours ago

























                          answered 19 hours ago









                          EwanEwan

                          43.5k33697




                          43.5k33697








                          • 6





                            Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

                            – Bertus
                            19 hours ago











                          • Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

                            – Ewan
                            19 hours ago











                          • "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

                            – Stephen
                            5 hours ago











                          • And still people do it

                            – Ewan
                            5 hours ago














                          • 6





                            Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

                            – Bertus
                            19 hours ago











                          • Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

                            – Ewan
                            19 hours ago











                          • "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

                            – Stephen
                            5 hours ago











                          • And still people do it

                            – Ewan
                            5 hours ago








                          6




                          6





                          Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

                          – Bertus
                          19 hours ago





                          Yes I obviously agree, and I would add "security" to your list. There's some potential that you might introduce a vulnerability in your code, especially with things like JSON/JWT, compared to well tested frameworks and definitely the standard library.

                          – Bertus
                          19 hours ago













                          Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

                          – Ewan
                          19 hours ago





                          Yes, its hard to make the list because obviously things like security and performance could go both ways. But there is an obvious conflict of interest between finishing features and insuring internal components are fully featured/understood

                          – Ewan
                          19 hours ago













                          "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

                          – Stephen
                          5 hours ago





                          "they may have signed a contract with their customers promising not to use open source products" - they're using .NET Standard, which is open source. It's a bad idea to sign that contract when you're basing your entire product on an open source framework.

                          – Stephen
                          5 hours ago













                          And still people do it

                          – Ewan
                          5 hours ago





                          And still people do it

                          – Ewan
                          5 hours ago











                          2














                          Short answer is that you should start introducing third-party dependencies. During your next stand-up meeting, tell everyone that the next week at work will be the most fun they have had in years -- they'll replace the JSON and XML components with open source, standard libraries solutions. Tell everyone that they have three days to replace the JSON component. Celebrate after it's done. Have a party. This is worth celebrating.






                          share|improve this answer








                          New contributor




                          Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.

























                            2














                            Short answer is that you should start introducing third-party dependencies. During your next stand-up meeting, tell everyone that the next week at work will be the most fun they have had in years -- they'll replace the JSON and XML components with open source, standard libraries solutions. Tell everyone that they have three days to replace the JSON component. Celebrate after it's done. Have a party. This is worth celebrating.






                            share|improve this answer








                            New contributor




                            Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.























                              2












                              2








                              2







                              Short answer is that you should start introducing third-party dependencies. During your next stand-up meeting, tell everyone that the next week at work will be the most fun they have had in years -- they'll replace the JSON and XML components with open source, standard libraries solutions. Tell everyone that they have three days to replace the JSON component. Celebrate after it's done. Have a party. This is worth celebrating.






                              share|improve this answer








                              New contributor




                              Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.










                              Short answer is that you should start introducing third-party dependencies. During your next stand-up meeting, tell everyone that the next week at work will be the most fun they have had in years -- they'll replace the JSON and XML components with open source, standard libraries solutions. Tell everyone that they have three days to replace the JSON component. Celebrate after it's done. Have a party. This is worth celebrating.







                              share|improve this answer








                              New contributor




                              Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.









                              share|improve this answer



                              share|improve this answer






                              New contributor




                              Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.









                              answered 4 hours ago









                              Double Vision Stout Fat HeavyDouble Vision Stout Fat Heavy

                              212




                              212




                              New contributor




                              Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.





                              New contributor





                              Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.






                              Double Vision Stout Fat Heavy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.























                                  0














                                  Basically it all comes down to effort vs. risk.



                                  By adding an additional dependency or update your framework or use higher level API, you lower your effort but you take up risk. So I would suggest doing a SWOT analysis.




                                  • Strengths: Less effort, because you don't have to code it yourself.

                                  • Weaknesses: It's not as custom designed for your special needs as a handcrafted solution.

                                  • Opportunities: Time to market is smaller. You might profit from external developments.

                                  • Threats: You might upset customers with additional dependencies.


                                  As you can see the additional effort to develop a handcrafted solution is an investment into lowering your threats. Now you can make a strategic decision.






                                  share|improve this answer




























                                    0














                                    Basically it all comes down to effort vs. risk.



                                    By adding an additional dependency or update your framework or use higher level API, you lower your effort but you take up risk. So I would suggest doing a SWOT analysis.




                                    • Strengths: Less effort, because you don't have to code it yourself.

                                    • Weaknesses: It's not as custom designed for your special needs as a handcrafted solution.

                                    • Opportunities: Time to market is smaller. You might profit from external developments.

                                    • Threats: You might upset customers with additional dependencies.


                                    As you can see the additional effort to develop a handcrafted solution is an investment into lowering your threats. Now you can make a strategic decision.






                                    share|improve this answer


























                                      0












                                      0








                                      0







                                      Basically it all comes down to effort vs. risk.



                                      By adding an additional dependency or update your framework or use higher level API, you lower your effort but you take up risk. So I would suggest doing a SWOT analysis.




                                      • Strengths: Less effort, because you don't have to code it yourself.

                                      • Weaknesses: It's not as custom designed for your special needs as a handcrafted solution.

                                      • Opportunities: Time to market is smaller. You might profit from external developments.

                                      • Threats: You might upset customers with additional dependencies.


                                      As you can see the additional effort to develop a handcrafted solution is an investment into lowering your threats. Now you can make a strategic decision.






                                      share|improve this answer













                                      Basically it all comes down to effort vs. risk.



                                      By adding an additional dependency or update your framework or use higher level API, you lower your effort but you take up risk. So I would suggest doing a SWOT analysis.




                                      • Strengths: Less effort, because you don't have to code it yourself.

                                      • Weaknesses: It's not as custom designed for your special needs as a handcrafted solution.

                                      • Opportunities: Time to market is smaller. You might profit from external developments.

                                      • Threats: You might upset customers with additional dependencies.


                                      As you can see the additional effort to develop a handcrafted solution is an investment into lowering your threats. Now you can make a strategic decision.







                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered 16 hours ago









                                      Dominic HoferDominic Hofer

                                      1243




                                      1243






















                                          Bertus is a new contributor. Be nice, and check out our Code of Conduct.










                                          draft saved

                                          draft discarded


















                                          Bertus is a new contributor. Be nice, and check out our Code of Conduct.













                                          Bertus is a new contributor. Be nice, and check out our Code of Conduct.












                                          Bertus is a new contributor. Be nice, and check out our Code of Conduct.
















                                          Thanks for contributing an answer to Software Engineering Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f389972%2fhow-to-deal-with-fear-of-taking-dependencies%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          El tren de la libertad Índice Antecedentes "Porque yo decido" Desarrollo de la...

                                          Castillo d'Acher Características Menú de navegación

                                          Connecting two nodes from the same mother node horizontallyTikZ: What EXACTLY does the the |- notation for...