When is it (not) appropriate to bundle dependencies with an application?

Question

Summary

I recently had a conversation with the creator of a framework that one of my applications depends on. During that conversation he mentioned as

Answer 1

Beware reproducing the classic Windows DLL hell. By all means minimize the number of dependencies: ideally, just depend on your language and its framework, nothing else, if you can.

After all, preserving hard disk space is hardly the objective any more, so users need not care about having multiple copies. Also, unless you have a minuscule number of users, be sure to take the onus of packaging on yourself rather than requiring them to obtain all dependencies!

Answer 2

Can't you just rely on a certain version of those dependencies? E.g. in Python with setuptools you can specify which exact version it needs or even give some conditions like <= > etc. This of course only applies to Python and on the specifc package manager but I would personally always first try not to bundle everything. With shipping it as a Python egg you will also have all the dependencies installed automatically.

You might of course also use a two-way strategy in providing your own package with just links to the dependencies and nevertheless provide a complete setup in some installer like fashion. But even then (in the python case) I would suggest to simply bundle the eggs with it.

For some introduction into eggs see this post of mine.

Of course this is very Python specific but I assume that other language might have similar packaging tools.

Answer 3

An important point seems to have been forgotten in the Cons of bundling libraries/frameworks/etc with the application: security updates.

Most Web frameworks are full of security holes and require frequent patching. Any library, anyway, may have to be upgraded one day or the other for a security bug.

If you do not bundle, sysadmins will just upgrade one copy of the library and restart depending applications.

If you bundle, sysadmins will probably not even know they have to upgrade something.

So, the issue with bundling is not the disk space, it's the risk of letting old and dangerous copies around.

Answer 4

For Linux, don't even think about bundling. You aren't smarter than the package manager or the packagers, and each distribution takes approach their own way - they won't be happy if you attempt to go your way. At best, they won't bother with packaging your app, which isn't great.

Keep in mind that in Linux, dependencies are automatically pulled in for you. It's not a matter of making the user get them. It's already done for you.

For windows, feel free to bundle, you're on your own there.

Answer 5

I favor bundling dependencies, if it's not feasible to use a system for automatic dependency resolution (i.e. setuptools), and if you can do it without introducing version conflicts. You still have to consider your application and your audience; serious developers or enthusiasts are more likely to want to work with a specific (latest) version of the dependency. Bundling stuff in may be annoying for them, since it's not what they expect.

But, especially for end-users of an application, I seriously doubt most people enjoy having to search for dependencies. As far as having duplicate copies goes, I would much rather spend an extra 10 milliseconds downloading some additional kilobytes, or spend whatever fraction of a cent on the extra meg of disk space, than spend 10+ minutes searching through websites (which may be down), downloading, installing (which may fail if versions are incompatible), etc.

I don't care how many copies of a library I have on my disk, as long as they don't get in each others' way. Disk space is really, really cheap.

Answer 6

If you're producing software for an end-user, the goal is to let the customer use your software. Anything that stands in the way is counter-productive. If they have to download dependencies themselves, there's a possibility that they'll decide to avoid your software instead. You can't control whether libraries will be backwards compatible, and you don't want your software to stop working because the user updated their system. Similarly, you don't want a customer to install an old version of your software with old libraries and have the rest of the system break.

This means bundling is generally the way to go. If you can ensure that your software will install smoothly without bundling dependencies, and that's less work, then that may be a better option. It's about what satisfies your customers.