A philosophical essay extending the classic 'Cathedral and Bazaar' metaphor by introducing a third element: the 'catacombs' — the transitive dependency graph that underlies all software projects regardless of their governance model. The author argues that while decades of discourse have focused on how software is built (cathedral vs. bazaar), almost no attention is paid to the unmapped, unaudited network of transitive dependencies that every project rests on. Drawing on real-world supply chain attacks like the xz backdoor and the event-stream incident, the piece makes the case that this dependency graph is load-bearing infrastructure that nobody designed as a whole, nobody audits holistically, and which represents a structural security risk independent of how well-governed the project above it is. AI coding agents are noted to worsen the problem by pulling in dependencies even more aggressively.
Sort: