undefined | Better HN

0 pointspalata2y ago0 comments

> They tend to be high quality and better vetted/tested

I thought anyone could publish rust packages, just like for PyPi? Are the packages audited before they are published in Rust?

> “too many” dependencies seems rather arbitrary

I would say that you have "too many" dependencies when you don't have control over them, e.g. because you can't afford auditing them or maintaining them. I have seen multiple Rust projects that I would rather rewrite myself than audit their tens (hundreds) of dependencies. That's "too many".

0 comments

4 comments · 1 top-level

troad2y ago· 3 in thread

> I thought anyone could publish rust packages, just like for PyPi? Are the packages audited before they are published in Rust?

Who prevents nasty C/C++ packages from being published? To my knowledge, anyone can just publish a C/C++ library.

> I would say that you have "too many" dependencies when you don't have control over them, e.g. because you can't afford auditing them or maintaining them. I have seen multiple Rust projects that I would rather rewrite myself than audit their tens (hundreds) of dependencies. That's "too many".

Then don't use them?

Your concerns appear to boil down to 'bad software exists'. Which... yeah. It does. Not sure what you want us to say. It's an intrinsic characteristic of open source / free software, and it's not like C/C++ is somehow under-represented (or Rust over-represented) in dodgy software.

There's plenty of closed ecosystems you can stick to if you don't trust yourself not to use dodgy dependencies (though I think this is a very strange concern to have).

palataOP2y ago

> Who prevents nasty C/C++ packages from being published? To my knowledge, anyone can just publish a C/C++ library.

Distros have system package managers that are checked by the distro maintainers. And by definition you trust the maintainers of your distro.

Somehow it feels like Rust does not go really well with distros (because it pushes for static linking).

> Your concerns appear to boil down to 'bad software exists'.

I was reacting to someone generalizing on C/C++ code, saying that "people dramatically overestimate it". I feel like it's nice to have some memory safety brought by Rust, but I find it a bit hypocritical to criticize the security of C/C++ code if Rust projects tend to statically link random code from hundreds of dependencies nobody ever reads. Because that's a big security issue IMO.

Sure, you can do it right with Rust. But you can also write good code with C/C++.

troad2y ago

> Distros have system package managers that are checked by the distro maintainers. And by definition you trust the maintainers of your distro.

You're comparing apples to oranges. Most C/C++ software in business use isn't pulling its dependencies from distro PMs, it's pulling them from some monstrous dark web of Visual Studio projects and opaque git repos. And on the other hand, Rust software that's distributed in distro PMs uses distro dependencies like any other package. Equally, as you note, the reverse exists. None of this tells us very much about Rust or C/C++ as languages.

> Rust projects tend to statically link random code from hundreds of dependencies nobody ever reads

'Tend to' is doing a lot of heavy lifting in that sentence, and doesn't seem to be based on very much more than 'I saw it a few times'. Well, I've seen my share of nightmarish C++ dependency trees. Is that a good argument against C++? Not really.

You're picking up on real issues - unnecessary and untrusted dependencies - except you're then erroneously drawing some imagined line in the sand where Rust bad and C/C++ good, which is where a rational argument seems to collapse into vibes. On the whole, there's a lot more C++ projects out there guilty of this than Rust projects.

> Sure, you can do it right with Rust. But you can also write good code with C/C++.

You can hammer a nail with a broom, but that doesn't make it the best tool for the job. The safety advantages of Rust can't just be hand-waved away. C is a fine programming language when safety is less of an issue. If you're writing a Nintendo emulator, sure, C, why not. If you're writing business logic that handles health data, maybe not.

1 more reply

iknowstuff2y ago

> But you can also write good code with C/C++.

That's funny, literally every data point I've read says otherwise. What are you reading?

1 more reply

j / k navigate · click thread line to collapse

0 comments

4 comments · 1 top-level

troad2y ago· 3 in thread

> I thought anyone could publish rust packages, just like for PyPi? Are the packages audited before they are published in Rust?

Who prevents nasty C/C++ packages from being published? To my knowledge, anyone can just publish a C/C++ library.

Then don't use them?

There's plenty of closed ecosystems you can stick to if you don't trust yourself not to use dodgy dependencies (though I think this is a very strange concern to have).

palataOP2y ago

> Who prevents nasty C/C++ packages from being published? To my knowledge, anyone can just publish a C/C++ library.

Distros have system package managers that are checked by the distro maintainers. And by definition you trust the maintainers of your distro.

Somehow it feels like Rust does not go really well with distros (because it pushes for static linking).

> Your concerns appear to boil down to 'bad software exists'.

Sure, you can do it right with Rust. But you can also write good code with C/C++.

troad2y ago

> Distros have system package managers that are checked by the distro maintainers. And by definition you trust the maintainers of your distro.

> Rust projects tend to statically link random code from hundreds of dependencies nobody ever reads

> Sure, you can do it right with Rust. But you can also write good code with C/C++.

1 more reply

iknowstuff2y ago

> But you can also write good code with C/C++.

That's funny, literally every data point I've read says otherwise. What are you reading?

1 more reply

j / k navigate · click thread line to collapse