April 19, 2026

Who compiled this ghost?

Article URL →HN comments →

Binary Dependencies: Identifying the Hidden Packages We All Depend On

Ghost packages are haunting your apps — build it all or just use Debian

TLDR: A FOSDEM 2026 talk warns hidden pre‑made software parts (“phantom binaries”) make apps less secure and hide who to support. In comments, one user says “build everything from source,” then also “use Debian packages,” spotlighting the purity vs convenience fight—and why it matters for hospitals, transport, and the internet.

At a big open‑source conference (FOSDEM 2026), a speaker sounded the alarm about phantom binary dependencies — the pre‑made software pieces your app secretly relies on but never lists. Think mystery ingredients in your soup: you can’t see them, but if they go bad, everyone gets sick. That’s a problem for security and for the unpaid volunteers who keep these parts alive. If we don’t know who we’re using, we can’t patch bugs or pay maintainers. The proposed fix: build tools to actually map these hidden links and make package managers talk to each other.

Then the comments rolled in with peak open‑source energy. User pabs3 went full survivalist: “avoid all of those binaries … and build from source instead,” linking to the ultra‑DIY world of bootstrappable.org and an explainer on LWN. Translation: grind your own flour, bake your own bread, trust no store‑bought loaf. Moments later, the same handle offered a calmer path: “use Debian packages” to track both source and binary bits — the grocery list approach. The vibe: purity vs practicality, hand‑rolled builds vs hit‑install and sleep. Cue memes about haunted code and “who compiled this ghost?”

Key Points

  • The talk defines phantom binary dependencies as unrecorded relationships to precompiled binaries used by software.
  • Standard manifests (e.g., pyproject.toml, package.json) capture source dependencies but typically omit binary dependencies.
  • Hidden binary dependencies pose sustainability risks by obscuring which maintainers should be funded.
  • They also create security risks by hiding vulnerable libraries that affect downstream projects and critical infrastructure.
  • The article proposes building cross-ecosystem tools to detect and record binary dependencies and improving package manager interoperability.

Hottest takes

"avoid all of those binaries (including the Linux kernel) and build from source instead" — pabs3
"I like using Debian packages to keep track of source and binary dependencies" — pabs3

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.