How software dies

When software reaches its design apex, the passion to develop it wanes and it begins descending through maintenance hell.  What was once state-of-the-art becomes legacy, and once legacy becomes abandonware.  Except for those rare software gems that endure for generations.


About a month ago, I replaced my home grown find and egrep alias with ag, The Silver Searcher.  The results were astounding: ag was much, much faster grepping my code bases than find + egrep.  I'm so happy with ag, which is better than ack...

Except for one thing: I can't search for patterns beginning with a hyphen.  ag --php "->count" bombs out, because "->count" looks like a program flag and not a pattern.  My old alias, using grep, covered this scenario via grep -e.

So what to do?  I really wanted this ability.  I could have opened an issue and joined the other 87 requests waiting resolution.  I could have reverted to my slow, ad-hoc find + egrep solution and spent time waiting for search results.

Instead, I decided I'd add the feature myself.  I haven't written C code in almost 20 years, but hey, it's like riding a bike.  And it turns out I only spent about 30 minutes getting the feature into a pull request, complete with unit tests and documentation.

At about the same time, a message hit the PHP internals mailing list about the abysmal state of cryptography in PHP.

The current state of cryptography in PHP is, well, abysmal. Our two main choices for handling symmetric cryptography are libmcrypt (collecting dust since 2007) and openssl, which lacks a streaming API (e.g. mcrypt_generic) and GCM support. 

While mcrypt is slowly decomposing in the corner and code is being desperately migrated towards openssl in case a critical vulnerability is discovered in the abandonware choice, the libsodium extension has been growing steadily.

Those are some pretty strong words against libmcrypt.  Thing is, ten years ago libmcrypt was state of the art.  Time has passed, though, and libmcrypt has rotted.  No one has spent time making the software any better.  Why?

All software seems to pass through four phases.  At first, there is the original author's passion, driven by personal or professional needs.  Then comes the maintenance transition and plateau, where use-case specific improvements like mine begin to replace the original author's full-time feature building. During this plateau, software reaches its design apex, that point where the original problem is solved so thoroughly that no one has new features.  Then comes the rot: the original author and maintainers move on and, sometimes, sporadic volunteer effort fixes bugs.  The phase diagram reminds me of an ADSR envelope.

Software dies of neglect.  Features requested, and never implemented.  When bugs are reported, but never fixed.  The longer the time since opening an issue, the greater the sense of neglect.  The "age of oldest bug" metric becomes the "rot" smell.

But in a strange twist, perhaps the greatest compliment we can pay software is "age of oldest unreported bug".  Bash lived 25 years before Stephane Chazelas discovered Shellshock.  A YACC bug lived 33 years before being fixed.  (More examples.)

I hope in 30 years ag will still be around, and folks will be using my tiny contribution: ag -e.