jml's notebook


Imagine I'm a grumpy old man version of Rich Hickey, and I'm giving a talk about dependencies.

In Go, you "vendor" dependencies. This means you copy their source code into your tree, and build them every time you build your thing.

But "vendor" isn't a verb. It's a noun. The OED says:

A person or company offering something for sale, especially a trader in the street

The verb is "to vend", which mean:

offer (small items) for sale, either from a stall or a slot machine

The idea with dependencies is that the library maintainers are the (third-party) vendors, and you are assuming a certain kind of responsibility for their offering.

There's already a word in English for obtaining something from a vendor and assuming responsibility for it: "buy"

obtain in exchange for payment

Of course, we don't buy dependencies, because that would imply that we pay for it. With money. To the vendor.

And we can't have that.

And yet, even though we don't exchange a payment for our dependencies, they still have a cost. They must be understood, adapted to, and kept up to date. Any bugs in them have to be fixed, somehow, if you care at all about your users.

But there's another definition of "buy" that's relevant for dependencies:

accept the truth of

When we buy a dependency, we are trusting that it does what it says on the tin. pytz correctly implements timezones? Sure, I buy that. Prometheus exports metrics? Entirely credible.

So, as an experiment, I suggest you spend the next week weirding your colleagues out by talking about "buying dependencies" rather than vendoring them. It can't be any more bizarre than using vendor as a verb.