> We can't go NIH for everything. If we do that we're back to baremetal in our own datacenters[...]
It's a bit of a leap from keeping copies of dependencies to building your own datacenter. Even the smallest startup can easily do the former.
> This is the tradeoff we made with the move to cloud.
To clarify, when I say keep local copies I meant copies which are under local control (i.e. control of your organization). They may well still physically be in AWS somewhere. The key is that they can't be modified/deleted by some third party who doesn't report to your organization.
Yes, this assumes AWS is too big to fail, but for the typical startup whose entire existence is already dependent on their AWS account being available, this would not increase risk beyond what it already is. Whereas each additional hard dependency on third-party repos do increase risk.
It's a bit of a leap from keeping copies of dependencies to building your own datacenter. Even the smallest startup can easily do the former.
> This is the tradeoff we made with the move to cloud.
To clarify, when I say keep local copies I meant copies which are under local control (i.e. control of your organization). They may well still physically be in AWS somewhere. The key is that they can't be modified/deleted by some third party who doesn't report to your organization.
Yes, this assumes AWS is too big to fail, but for the typical startup whose entire existence is already dependent on their AWS account being available, this would not increase risk beyond what it already is. Whereas each additional hard dependency on third-party repos do increase risk.