Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

IMO, the biggest reason is how broken the Java ecosystem is. Java-the-language is mostly okay, Java-the-toolchain (JVM) is pretty great, but Maven/Gradle/etc. are awful.

Java is one of the few ecosystems that provides a software distribution ecosystem that doesn't allow distribution of sources alongside binaries. Additionally, it is a lot more common for Java dependencies to be a game of Jenga. Take for example, Gradle. Gradle literally cannot be built from source[1] because it relies on a binary cache of dependencies held by Gradle to build Gradle. There are many other examples of this. As a consequence, the Java ecosystem has become a security and maintenance nightmare that other ecosystems simply aren't.

As bad as Nodejs is, it doesn't do this. As difficult as .NET has been, the dependency hygiene is better there. As annoying as Go and Rust are, they provide better guarantees in their ecosystems than Java does. While Python and Ruby are "slower" than Java, they both make it up in developer productivity and transparent, well-reasoned tooling compared to Java.

[1]: https://twitter.com/decathorpe/status/1250048390228041729




> Java is one of the few ecosystems that provides a software distribution ecosystem that doesn't allow distribution of sources alongside binaries.

This is wrong, source distribution is a standard in maven.

> Gradle literally cannot be built from source[1] because it relies on a binary cache of dependencies held by Gradle to build Gradle.

This is wrong as well as pointed out in the thread.

> As a consequence, the Java ecosystem has become a security and maintenance nightmare that other ecosystems simply aren't. As bad as Nodejs is, it doesn't do this.

This is almost hilarious. I'm working at a company at the moment guiding security updates for java and node.js backends. The java backends are not an issue. The node.js backends are almost impossible to upgrade, the javascript-frontends are even closer to impossibility.


> the Java ecosystem has become a security and maintenance nightmare that other ecosystems simply aren't.

What? NodeJS ecosystem with npm was a nightmare to every security team I've worked with. Java is much the opposite, you run a local Artifactory to cache your dependencies, you run security checks against the cached dependencies to guarantee everything your org is actually depending on doesn't have major holes, you can block dependencies from being pulled through your Artifactory proxy. Hell, your org can even provide a BOM/root POM describing exactly the supported versions for dependencies across the board.

I've been working as a SWE for almost 20 years, on my languages toolbelt for applications I've developed and maintained in production I have ASP 3.0, PHP, Ruby, Python, Go, JavaScript, Scala, Clojure and Java; from all of these ecosystems the one I've consistently been the most productive is the JVM and even Java itself I'd say.

I don't even like Java the language, I just think it's a great tool for a lot of jobs (even more if maintainability over the long-term is a must), but I sincerly can't see a single one of your points against Java materialised in my work experience...


I'd say it is the opposite. C# is a better language but the open source ecosystem is crippled because too many .NET developers believe "Microsoft, wrong or right"

I'd grant that Gradle is problematic but Maven is better than either pip or npm in most respects.

Unlike pip, Maven has a correct algorithm for resolving dependencies and the language is not full of footguns like

   pip --user
thanks to Java's xenophobia Java users don't have a sense of entitlement that they can just type

   python
and have an environment that works. Virtualenv(s) work great in python if you never do

   pip --user
but some people will do it no matter what.


As a Java developer, sort of, who uses Maven (not Gradle) but spends more time fixing UI stuff (because that's where everything breaks), I don't recognise this at all.

I can't say I'm a Maven cheerleader but I find nodejs, sorry npm, with webpack, or yarn, babel, gulp, or... to be a confusing soup of incompatibility. Most of which moves on so quickly that whatever works this week is dead next week.


I think there are lots of valid barbs to throw the way of Java and the JVM ecosystem, but I'm slightly baffled that you'd choose tooling and maintainability. I've had a very happy, quiet 15 years or so on top of Maven and it's never ruined my day. In the meantime, the situation with Python and Ruby has been so thoroughly and reliably awful that basically the entire industry had to move to Docker to be able to get anything done.


This is one of the most ignorant comment I recently read on HN. NPM dep system is a security nightmare. Try to publish something on maven central vs npm. I don't remember last time I had a problem with maven, when we have daily with package.json / package-lock.json.

Python is a joke. Really. Tried using an airflow api for days. Having no static types, you have to rely on documentation, so good luck. python is ok for scripting, fee dozens LoC, not for serious enterprise dev.

In the enterprise world Java/jvm is THE way to go, there's just too many choices and possibilities. You don't like spring? No problem, there's endless other frameworks.


Why would this be a problem? In what world would I care to build gradle on my own?


I only ever heard concerns about it from Guix people who are hard on bootstrappability (they literally have a few hundred kb C-subset compiler which can compile a whole-C compiler written in that subset which will be able to compile a normal C compiler, etc). But most platforms are not made for easy bootstrappability and it is not a concern in itself.


> As difficult as .NET has been

Can you elaborate on the difficulty of .NET? (Purely curious!)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: