Mastodawn

I'm trying very hard not to get into a fight on github after being told that a package manager should implement _mechanism_ not _policy_, a canard I haven't heard in probably 15 years.

Deciding not to set safe, reasonable defaults is an abdication of responsibility. It's negligence. We've tried doing it that way and we just know that now.

"Respectfully, there's no such thing as providing mechanism without policy. There is only mechanism with safe, well-considered default policy or unsafe, unconsidered default policy."

Going to bite my tongue after that.

But if I'm being honest the thing that set me off was that the words mechanism and policy were italicized for emphasis.

Do not 'sir' me young man, you have no idea who you're dealing with.

Darryl Shpak Mar 6

@mhoye This was my immediate thought. *Some* behaviour is the default! Setting defaults to zero or false or null or whatever is still choosing defaults. You can choose better ones…

Andrew Nesbitt Mar 6

@mhoye package manager clients and registries are literally encoded community policy and governance rules for an ecosystem

Andrew Nesbitt Mar 6

@mhoye https://nesbitt.io/2025/12/22/package-registries-are-governance-as-a-service.html

Package Registries Are Governance Providers

Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.

Andrew Nesbitt

Greg Wilson Mar 6

@andrewnez @mhoye https://third-bit.com/2024/02/25/community-norms/

The Third Bit: Community Norms

@andrewnez Absolutely. It is incredible how many people will argue with a straight face that their software has somehow emerged fully formed from the brow of abstract mathematics, and is not the product of decisions people have made about how other people should work with and be affected by those decisions.

Alyssa Coghlan Mar 6

@mhoye @andrewnez Also how reluctant folks sometimes are to admit that a particular default setting may not have been thought about at all beyond "well, I need to initialise it to *something*, and 'turned off' is not going to obviously break anything"

Andrew Nesbitt Mar 6

@ancoghlan @mhoye I can't point and say "this" enough!

Alyssa Coghlan Mar 6

@andrewnez @mhoye Now I'm having flashbacks to when we actually got serious about setting *real* default TLS verification policies for the Python standard library instead of settling for that historical practice of "off by default". Yikes, that was a lot of work for a lot of people (worth it, though).

@ancoghlan @andrewnez Yeah, I believe you. Picking "We don't want to have an opinion" is a lot harder to remediate later than "we have to have _something_ to say here, so let's at least build in a way to say something."

@ancoghlan @andrewnez I'm 100% convinced that the "mechanism not policy" argument is DARVO for software design.

Alyssa Coghlan Mar 6

@mhoye @andrewnez "It's not designed badly, you're just holding it wrong"

@ancoghlan @andrewnez ... while I, the developer of this software, who designed, implemented and documented all of the handles, am powerless and also blameless, and it is in fact _you_ who are attacking _me_ by arguing that it should be different.

Chris Petrilli Mar 6

@mhoye @ancoghlan @andrewnez these are the same people who say they aren’t political.

Jason Orendorff Mar 6

@mhoye I don't think I ever heard this slogan before last year. I ran across it in a paper from 1975, <https://dl.acm.org/doi/epdf/10.1145/1067629.806532>

"an operating system should not attempt to provide a fixed set of policies, particularly protection policies. Rather, it should provide a set of mechanisms with which a large set of policies [...] can be constructed."

Even at that time, was this smart design, or an excuse to play with mechanism and ignore practicalities? maybe both

@jorendorff The audience for that idea at the time would have been mainframe purchasers. In 1975 the PS/2 is still twelve years away, and everyone who you would be "providing mechanism" _for_ was large team of full time operators with deep systemic knowledge and fabulously expensive four-hour support contracts. It made sense when you got what would by today's standards be the barest of barebones systems that your team would then configure to your business requirements. Whole different world.

Jason Orendorff Mar 6

@mhoye yeah, full agreement, I had a followup toot like "needless to say, the concerns were different before the IBM PC, the internet, and my entire life" and didn't send

@jorendorff ... also given modern sensibilities it's a baffling read? "Hydra shouldn't impose policy" my guy that is the number one thing Hydra wants to do and that policy is going to be "we're throwing your whole ass into the mechanism."

Jason Orendorff Mar 6

@mhoye "it's cool because you don't want a _car_

that, like, comes with a key, and you just turn it

you're gonna build your _own_ car"

@jorendorff This is, no joke, exactly what fancier cars in the 1920s were and the top end Rolls Royces are today. You didn't do anything as pedestrian as "buy a Duesenberg", no sir. You talked to a consultant who tailed your particular order for your very specific Duesenberg.

@jorendorff also - I think I need to rewrite the wikipedia article on this? It's oddly written and very ahistorical...

https://en.wikipedia.org/wiki/Separation_of_mechanism_and_policy

Separation of mechanism and policy - Wikipedia

@mhoye I wonder which package manager you could be talking about? /s

@aj Not the one you'd think!

OutsideCasey Mar 6

@mhoye the phrase “tyranny of defaults” comes to mind.

Chris Siebenmann Mar 6

@mhoye Scooby Doo meme:
"Mechanism, not policy"
takes ghost's hood off
"Policy"
There's always policy underneath.

Chris Siebenmann Mar 6

@mhoye Am I still salty that X's "mechanism not policy" had a lot of implicit policy in it for things like window managers, constraining you to a particular style of window manager? Yes, yes I am.