sotolfJul 2, 2024

I'm still kind of baffled that the rust people saw what js was doing with npm and saying "that's a great idea", let's do that!

Or maybe it's just a lot of previous js devs doing this.

#rust

https://kerkour.com/rust-supply-chain-security-standard-library

Rust has a HUGE supply chain security problem

"If only Rust had this feature, we would use it for all our greenfield projects!" Said nobody. Rust adoption is stagnating not because it's missing some weird feature pushed by programming language theory fanatics, but because of a lack of focus on solving the practical problems that developers are facing

Sylvain Kerkour
Show threadTobias HungerJul 2, 2024

@sotolf The good thing is that it is obvious that a project has dependencies and what exactly it depends on.

I have spent too much time finding random copies from random versions of random libraries (with random patches on top) copied into projects. And do not get me started on "header only libraries" -- the declaration of failure on dependency management.

Show threadsotolfJul 2, 2024
@hunger Yeah, I love my tui program to have 100+ dependencies (ratatui) The thing isn't that there is some automatic dependency thing, the problem is that there is no real stdlib or approximate, so what you have is that every other library is depending on something else random that you haven't already downloaded, I have found even smaller stuff that I've worked on in rust having a many GB big folder for not really doing much.
Show threadTobias HungerJul 5, 2024

@sotolf How would you build such an extended standard library?

* Make a crate with lots of other crates as dependencies. Simple to do, but keeps the entire mess visible.

* Bundle a bunch of crates in one repo. Hides the mess, but needs constant updates to keep in sync with the "real" crates and will not feel likemone unit.

* Fork all the dependencies into your repo and smoothen out the API. Lots of work as you fork everything.

I hope there is more, as neither of my ideas seem great.

Show threadsotolfJul 5, 2024
@hunger the other thing about a stdlib thing is that it has to be officially blessed so that people know to use it, it would need to have a good api that can influence others, there are a lot of things that is needed, and the best way is to deliver it with the language, which is one of the reasons rust is just not for me.
Show threadTobias Hunger

@sotolf so you want 3): Fork all the good libs, polish and integrate them with each other into one nice package that's blessed by "the language". That probably means a new crate in the rustlang org on github.

You end up setting a huge API into stone, and make it hard to continue developing the functionality: Languages with a big stdlib joke its where code goes to die.

At some point users start using alternatives in their programs and dependency hell is back.

Jul 5, 2024 at 8:10pmWeb
Show threadsotolfJul 5, 2024
@hunger yeah yeah, rust is perfect, no way to make it better, other languages suck, I get where this will end up, you get points for "luring me into a trap" but no thanks, not interested in joining another dishonest "discussion".
Show threadTobias HungerJul 6, 2024

@sotolf That particular approach seems not to have worked well in python, that's all.

The supply chain problem is very real and trying to automatically analyze all the crates that get uploaded for bad behavior is not going to solve that. `cargo crev` does not seem to scale.

Some form of "blessed crate list" (with extra eyes on those) is needed, we "just" need to figure out a good way to do that without killing what makes the crates popular in the first place.