Often, rather than "reinventing the wheel", software is designed to take advantage of other software components that are already available, or have already been designed and implemented for use elsewhere. This could be compared to how people building a house might buy off-the-shelf components, such as bricks, windows, and doors, rather than producing everything themselves.
Even for a builder, it can be a problem if a building is designed for a certain door type, and only doors with different specifications are available. However, in the software world, where components evolve rapidly and depend significantly on one another, this problem becomes more pronounced.
The issue of dependency hell may be regarded as an anti-pattern, where the fault lies less with the suppliers of the products than with the framework into which they have to fit.
Dependency hell takes several forms:
Many dependencies
An application depends on many libraries, requiring lengthy downloads, large amounts of disk space, and not being very portable (all libraries must be ported for the application to be ported). It can also be difficult to locate all the dependencies, which can be fixed by having a repository (see below). This is partly inevitable; an application built on a given computing platform (such as Java) requires that platform to be installed, but further applications do not require it. This is a particular problem if an application uses a small part of a big library (which can be solved by code refactoring), or a simple application relies on many libraries.
Long chains of dependencies
app depends on
liba, which depends on
libb, ..., which depends on
libz. This is distinct from "many dependencies" if the dependencies must be resolved manually (e.g., on attempting to install
app, the user is prompted to install
liba first. On attempting to install
liba, the user is then prompted to install
libb.). Sometimes, however, during this long chain of dependencies, conflicts arise where two different versions of the same package are required (see
conflicting dependencies below). These long chains of dependencies can be solved by having a package manager that resolves all dependencies automatically. Other than being a hassle (to resolve all the dependencies manually), manual resolution can mask dependency cycles or conflicts.
Conflicting dependencies
If
app1 depends on
libfoo 1.2, and
app2 depends on
libfoo 1.3, and different versions of
libfoo cannot be simultaneously installed, then
app1 and
app2 cannot simultaneously be used (or installed, if the installer checks dependencies). When possible, this is solved by allowing simultaneous installations of the different dependencies. Alternatively, the existing dependency, along with all software that depends on it, must be uninstalled in order to install the new dependency. A problem on Linux systems with installing packages from a different distributor (which is not recommended or even supposed to work) is that the resulting long chain of dependencies may lead to a conflicting version of the C standard library (e.g. the GNU C Library), on which thousands of packages depend. If this happens, the user will be prompted to uninstall all those packages.
Circular dependencies
If
application A depends upon and can't run without a specific version of
application B, but
application B, in turn, depends upon and can't run without a specific version of
application A. Upgrading any application will break another. This scheme can be deeper in branching. Its impact can be quite heavy, if it affects core system or update software itself: a package manager(A), which requires specific run-time library(B) to function, may brick itself(A) in the middle of the process when upgrading this library(B) to next version. Due to incorrect library (B) version, the package manager(A) is now broken- thus no rollback or downgrade of library(B) is possible. The usual solution is to download and deploy both applications, sometimes from within a temporary environment.
Package Manager Dependencies
Popular package managers like YUM, APT-GET, yast, etc. are prone to have conflicts between packages of their repositories, causing dependency hell in famous distros such as CentOS, RHEL, Ubuntu, etc...
Version numbering
A very common solution to this problem is to have a standardised numbering system, wherein software uses a specific number for each version (aka
major version), and also a subnumber for each revision (aka
minor version), e.g.:
10.1, or 5.
7. The major version only changes when programs that used that version will no longer be compatible. The minor version might change with even a simple revision that does not prevent other software from working with it. In cases like this, software packages can then simply request a component that has a particular major version, and
any minor version (greater than or equal to a particular minor version). As such, they will continue to work, and dependencies will be resolved successfully, even if the minor version changes.
Private per application versions
Windows File Protection introduced in Windows 2000 prevented applications from overwriting system DLLs. Developers were instead encouraged to use "Private DLLs", copies of libraries per application in the directory of the application. This uses the Windows search path characteristic that the local path is always prioritized before the system directory with the system wide libraries. This allows easy and effective shadowing of library versions by specific application one, therefore preventing dependency hell.
Side-by-side installation of multiple versions
The version numbering solution can be improved upon by elevating the version numbering to an operating system supported feature. This allows an application to request a module/library by a unique name
and version number constraints, effectively transferring the responsibility for brokering library/module versions from the applications to the operating system. A shared module can then be placed in a central repository without the risk of breaking applications which are dependent on previous or later versions of the module. Each version gets its own entry, side by side with other versions of the same module.
This solution is used in Microsoft Windows operating systems since Windows Vista, where the Global Assembly Cache is an implementation of such a central registry with associated services and integrated with the installation system/package manager.
Smart package management
Some package managers can perform smart upgrades, in which interdependent software components are upgraded at the same time, thereby resolving the major number incompatibility issue too.
Many current Linux distributions have also implemented repository-based package management systems to try to solve the dependency problem. These systems are a layer on top of the RPM, dpkg, or other packaging systems that are designed to automatically resolve dependencies by searching in predefined software repositories. Examples of these systems include Apt, Yum, Urpmi, ZYpp, Portage, Pacman and others. Typically, the software repositories are FTP sites or websites, directories on the local computer or shared across a network or, much less commonly, directories on removable media such as CDs or DVDs. This eliminates dependency hell for software packaged in those repositories, which are typically maintained by the Linux distribution provider and mirrored worldwide. Although these repositories are often huge, it is not possible to have every piece of software in them, so dependency hell can still occur. In all cases, dependency hell is still faced by the repository maintainers.
PC-BSD, up to and including version 8.2, a predecessor of TrueOS (an operating system based on FreeBSD) avoids dependency hell by placing packages and dependencies into self-contained directories in
/Programs, which avoids breakage if system libraries are upgraded or changed. It uses its own "PBI" (Push Button Installer) for package management.
Installer options
Because different pieces of software have different dependencies, it is possible to get into a vicious circle of dependency requirements, or an ever-expanding tree of requirements, as each new package demands several more be installed. Systems such as Debian's Advanced Packaging Tool can resolve this by presenting the user with a range of solutions, and allowing the user to accept or reject the solutions, as desired.
Easy adaptability in programming
If application software is designed in such a way that its programmers are able to easily adapt the interface layer that deals with the OS, window manager or desktop environment to new or changing standards, then the programmers would only have to monitor notifications from the environment creators or component library designers and quickly adjust their software with updates for their users, all with minimal effort and a lack of costly and time-consuming redesign. This method would encourage programmers to pressure those upon whom they depend to maintain a reasonable notification process that is not onerous to anyone involved.
Software appliances
Another approach to avoiding dependency issues is to deploy applications as a software appliance. A software appliance encapsulates dependencies in a pre-integrated self-contained unit such that users no longer have to worry about resolving software dependencies. Instead the burden is shifted to developers of the software appliance.
Portable applications
An application (or version of an existing conventional application) that is completely self-contained and requires nothing to be already installed. It is coded to have all necessary components included, or is designed to keep all necessary files within its own directory, and will not create a dependency problem. These are often able to run independently of the system to which they are connected. Applications in RISC OS and the ROX Desktop for Linux use application directories, which work in much the same way: programs and their dependencies are self-contained in their own directories (folders).
This method of distribution has also proven useful when porting applications designed for Unix-like platforms to Windows, the most noticeable drawback being multiple installations of the same shared libraries. For example, Windows installers for gedit, GIMP, and XChat all include identical copies of the GTK+ toolkit, which these programs use to render widgets. On the other hand, if different versions of GTK+ are required by each application, then this is the correct behavior and successfully avoids dependency hell.
On specific computing platforms, "dependency hell" often goes by a local specific name, generally the name of components.
DLL Hell – a form of dependency hell occurring on Microsoft Windows.
Extension conflict – a form of dependency hell occurring on the classic Mac OS.
Java Classloader#JAR hell – a form of dependency hell occurring in the Java Runtime Environment before build tools like Apache Maven solved this problem back in 2004.
RPM hell – a form of dependency hell occurring in the Red Hat distribution of Linux and other distributions that use RPM as a package manager.
