"There are no solutions ... only trade-offs." -- Thomas Sowell

tl;dr: "As a library author it’s tempting to bring in dependencies for various reasons, but as a library user it’s frequently convenient to not have cascading dependency sets. ... If a user already has something they like, make it as easy as possible for them to keep using it without making them install things they don't actually need. That is the kind of duplication we really want to avoid. This applies not only to HTTP response delivery, but to caching, logging, translation, templating, and a host of other functionality."


Recent articles from me and others regarding the Aura project for PHP 5.4+, dependencies, and decoupling have generated a lot of commentary, some of it negative, and some of it misdirected. For reference, the posts are:

In this post, I'll respond to some of that commentary. I will sum up similar comments and address those summaries.

Regarding "Dependencies Are Bad"

Bernhard "Webmozart" Schussek writes an otherwise good post that, unfortunately, begins by misconstruing my statements:

Aura is creating some buzz that components of PHP frameworks should not have any dependencies.

...

The general attitude of people arguing against dependencies is that dependencies are a bad thing.

Matt Robinson makes a related comment:

You’ve made a judgement call that dependencies should be avoided at all costs – I think that’s going a bit too far.

I can understand how some readers might infer the "dependencies are bad" sentiment from the interviews, especially if they did not read with thoughtful consideration. Their assessment is incorrect.

For the record: dependencies are not a bad thing in and of themselves, nor are they a good thing in and of themselves. Choosing to have one or more dependencies is a trade-off in software development, where the gains and losses from having the dependency must be judged according to the context of the development goals.

If dependencies are neither good nor bad in themselves, why does Aura avoid them so assiduously?

To learn the answer, please recall the origin of the Aura project (which is essentially the second major version of the Solar framework):

One of the repeated questions we got regarding Solar went like this: “I want to use just one part of Solar; can I do that without having to download and configure the whole framework?” Of course the answer to that was “not really.” It was a monolithic framework, where all the pieces were designed to work with each other in a relatively dependent fashion.

So with Aura, we started out from the other direction. We wanted the pieces to be usable on their own, without any other dependencies. Only after that would we build a framework out of the pieces.

As you can see, it is expressly our goal to serve a particular set of users as our primary focus: those who want independent libraries without added dependencies.

As a library author it's tempting to bring in dependencies for various reasons, but as a library user it's frequently convenient to not have cascading dependency sets. Call it a case of taking our audience seriously, and going as far as we can with it.

Regarding "Duplication"

Matt Robinson asks:

[W]hat’s the real difference between AuraHttpMessageResponse and AuraWebResponse? They look remarkably similar and have significant overlap in interface and purpose. I might be wrong, but it looks like you’ve got this big chunk of duplicated effort for the sake of avoiding one line in a composer.json file. :)

They are remarkably similar, since they serve a similar purpose; that is, to describe an HTTP response. I think "big chunk" is an inaccurate characterization, though; it's 2 classes out of 56 between both packages.

As Matt allows, he is in fact wrong. ;-) The duplication is not for the sake of avoiding one line in a Composer file. It is to make sure that people who want to use Aura.Web package are not required to additionally install the entire Aura.Http package to get access to a single class.

Many library users out there already have HTTP delivery mechanisms of their own choosing, and have neither the desire nor the inclination to drag another one into their codebase. All these users need is a way to describe an HTTP response. It's easy to do that in a single file.

Because of this single class of duplication that exists in Aura.Web, library users can build a relatively small amount of glue code to send the AuraWebResponse using their existing installation of Guzzle, Buzz, the HTTP extension, plain old PHP, or even the Aura.Http package. This is the tradeoff: a single duplicated file, versus many dozens of files of duplicated, unused, and unneeded functionality.

That is the central point for the Aura project: if a user already has something they like, make it as easy as possible for them to keep using it without making them install things they don't actually need. That is the kind of duplication we really want to avoid. This applies not only to HTTP response delivery, but to caching, logging, translation, templating, and a host of other functionality.

Stan, who admittedly is part of the Aura target audience, already knows this:

[T]here are some of us out there that have a hybrid of components tooled together. The more dependencies that are forced on us (guilty by assoc) the harder that is to do. So maybe my app that’s routed by Aura, templated by Twig, works with the DB using Doctrine ODM, utilizes Symfony for the Finder and Yaml components and Zend for the console could find itself in a pickle when more baggage is added to the mix through dependencies that might not be necessary.

Amy Stephen also figured out the point pretty quickly ...

Disagree with Paul’s assertion in the comments that such a strategy does not lead to some duplication of code or function or that the methodology means some functionality be sacrificed. Of course, it does. That’s the ying and the yang of it – get one thing clean and another dirty – the cost, time, quality triangle – It’s math. It’s always a balancing act building software.

... although to be fair, I didn't say "does not lead to some duplication"; I said duplicated code was "almost nonexistent." ;-) Perhaps that too was a mischaracterization: a few classes here and there, among hundreds of classes and a dozen packages, seems rather small to me. Others may disagree.

Regarding "Not Invented Here"

Some commenters claim that this approach promotes "NIH" syndrome. Drak said:

Seems to me like you are promoting NIH. The very concept that a decoupled component cant have dependencies means you have to invent everything yourself.

Webmozart similarly opined:

I think this needs some urgent clarification before this way of thinking becomes mainstream and PHP creeps back into its NIH-hole.

I would argue that the offering decoupled packages in the way the Aura does leads away from not-invented-here syndrome, not toward it.

Recall that one of the driving motivations behind Aura was to extract the parts of Solar that users wanted as separate packages. Those users wanted very badly not to engage in NIH by using Solar, but could not, because it was delivered as a monolithic whole. Those users can now download independent, decoupled Aura packages and avoid rewriting the functionality contained therein.

Bertrand lobbed a shot over the net at, I guess, the Symfony crowd, when he said:

Ha, ha, who’s got the NIH syndrom ?

Event_Dispatcher, written in 2005, 3 years before the one in your example...

http://pear.php.net/package/event_dispatcher

This is a comment I sympathize with. It seems to me that many accusations of NIH-ism are more complaints and frustrations that the accused is not using the libraries and packages the accuser prefers.

Regarding "Tests As A Way Of Discovering Dependencies"

Some commenters were dissatsifed with my use of unit testing requirements to discover what a package really depends on, as opposed to what its composer.json file states. Webmozart said:

There’s a distinction between required dependencies and optional, supported libraries. For example, the Symfony2 Validator optionally supports annotations, in which case you need DoctrineCommon (why should it reinvent annotation parsing?). You can use the Validator without any of these supported libraries.

Obviously, the support for these libraries is tested, so for running the tests you also need the supported libraries (doh). I fail to see how this is bad.

Lukas covered this as well:

[T]he issue is that the way [Paul] was comparing. Paul was making a very incorrect conclusion that anything that is needed to run the tests illustrates “cross-package dependencies”. Yet if you look at the composer.json (which I would have expected Paul to be familiar with) then you would notice that infact the Validator component has ZERO dependencies beyond PHP itself:

https://github.com/symfony/Validator/blob/master/composer.json

This was a topic I had hoped I would not have to address. All my other statements regarding dependencies have been as clinical as I could make them, without reference to words like "good" or "bad" in describing the various practices. For this topic, though, I must make some statements that others will find negative or perjorative. Because of that, I am going to do it in an entirely separate post, so as not to pollute this commentary thread too harshly. Look for it in a few days.

Conclusion

Thanks to everyone for their comments and critique, and please be sure to check out the Aura project!

Are you stuck with a legacy PHP application? You should buy my book because it gives you a step-by-step guide to improving you codebase, all while keeping it running the whole time.