Debian discusses vendoring—again
Debian discusses vendoring—again
Posted Jan 13, 2021 14:47 UTC (Wed) by pizza (subscriber, #46)In reply to: Debian discusses vendoring—again by dottedmag
Parent article: Debian discusses vendoring—again
> Also over time (3) becomes cheaper as problems don't tend to be unique every time.
You left out the cost of cleaning up after exploits found in your in-house library. Because your in-house code is far (far!) more likely to be full of holes than random F/OSS libraries that are used by a variety of other folks.
You also left out the fact that if it's in-house, $Z and $W are paid entirely by your organization, so while (3) might get smaller (relative to itself) over time, it will forever remain much larger than using a F/OSS library whose $Z and $W approach $0, as you're not shouldering the entire price of development and maintenance yourself.
In the end, most organizations go with (1) because they simply don't have the resources to do anything differently. (3) tends to only happen in areas where cost is not a primary consideration (eg military, medical, safety, and other highly regulated industries) or when there are specific requirements that cannot be met any other way. Varying degrees of (2) is where most organizations end up, typically balanced on the trailing edge of cost-benefit analyses.